[PATCH] audit: add feature audit_lost reset
Steve Grubb
sgrubb at redhat.com
Thu Jan 12 14:58:56 UTC 2017
On Wednesday, January 11, 2017 11:19:42 PM EST Richard Guy Briggs wrote:
> > OK. the code to support this is in svn. However, since we didn't use a
> > feature bit like we normally do, there is absolutely no way to report
> > that the underlying kernel does not support this. It quietly fails and
> > pretends everything is fine. I'd prefer that we had a feature bit to
> > output a proper error message.
>
> Do you still want to switch to CONFIG_CHANGE? (I think that is a good
> idea.)
Sure.
> I agree detecting this feature is a destructive operation requiring an
> existing lost count and checking the positive return code, but not
> impossible, and would prefer a feature bit.
I'd prefer a feature bit so that I can tell people your kernel doesn't support
this. Audit runs on a large variety of kernels.
> As for audit being immutable, I could see an argument to have this
> feature usable even though the config is locked. What's your take?
I can see value in resetting the count even when immutable. Perhaps just use
its logging function. So we don't have a new record type.
-Steve
More information about the Linux-audit
mailing list