[PATCH][RFC] audit: set wait time to zero when audit failed
Steve Grubb
sgrubb at redhat.com
Thu Sep 19 02:33:44 UTC 2019
On Thu, 19 Sep 2019 01:50:05 +0000
"Li,Rongqing" <lirongqing at baidu.com> wrote:
> No need knobs, auditctl can change the backlog length and wait time.
> And it is helpless to change the backlog length if auditd is hung
> forever, as a task can be hung forever due to disk/filesystem's
> abnormal, etc
>
> I am saying the audit default behaviors which is changed, I truly
> meet the issue as description of the below commit, if we can make
> change, other can avoid this issue.
I'd like to offer an opinion because this a long term issue that we
have faced and what exists is the result of having to meet certain
requirements.
If the machine boots with audit=0, which I think is default, then the
end user has no expectation of audit ever being in use. Audit events
may be discarded if the backlog fills up.
If however the machine boots with audit=1, then the user is expecting
that there will eventually be an audit daemon and they want all events.
All of them without fail. So, we have to take all measures to deliver
those events because this is required by common criteria as well as
other security standards such as PCI-DSS.
So, there are 2 paths. One which does not care about audit and one
that does. The original behavior did not meet requirements. If there is
any patch that fixes this, it would be to not have an audit backlog
wait time if audit has never been enabled. We have to be careful to
consider audit never enabled, audit disabled but previously enabled,
and audit enabled.
HTH...
-Steve
More information about the Linux-audit
mailing list