auditd restart atomic?
Paul Moore
paul at paul-moore.com
Tue Feb 7 15:05:49 UTC 2017
On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor <pudge at pobox.com> wrote:
> If I restart auditd, can it lose (not record to the logs) events that happen
> during the restart? Or is the restart (and reload of new rules) essentially
> atomic?
The kernel maintains a backlog queue of audit records when auditd is
not running and attempts to (re)send those records when auditd is
started. However, the backlog queue size is fixed and it is possible
to overflow the queue; if that happens a message will be sent to the
kernel's ring buffer (dmesg).
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list