答复: [PATCH][RFC] audit: set wait time to zero when audit failed

[Li,Rongqing]

> -----邮件原件-----
> 发件人: Steve Grubb [mailto:sgrubb at redhat.com]
> 发送时间: 2019年9月19日 10:34
> 收件人: Li,Rongqing <lirongqing at baidu.com>
> 抄送: Paul Moore <paul at paul-moore.com>; linux-audit at redhat.com
> 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed
> 
> On Thu, 19 Sep 2019 01:50:05 +0000
> "Li,Rongqing" <lirongqing at baidu.com> wrote:
> 
> > No need knobs, auditctl can change the backlog length and wait time.
> > And it is helpless to change the backlog length if auditd is hung
> > forever, as a task can be hung forever due to disk/filesystem's
> > abnormal, etc
> >
> > I am saying the audit default behaviors which is changed, I truly meet
> > the issue as description of the below commit, if we can make change,
> > other can avoid this issue.
> 
> I'd like to offer an opinion because this a long term issue that we have faced
> and what exists is the result of having to meet certain requirements.
> 
> If the machine boots with audit=0, which I think is default, then the end user
> has no expectation of audit ever being in use. Audit events may be discarded if
> the backlog fills up.
> 
> If however the machine boots with audit=1, then the user is expecting that
> there will eventually be an audit daemon and they want all events.
> All of them without fail. So, we have to take all measures to deliver those
> events because this is required by common criteria as well as other security
> standards such as PCI-DSS.
> 

Ok, I see

Thanks

-RongQing


> So, there are 2 paths. One which does not care about audit and one that does.
> The original behavior did not meet requirements. If there is any patch that fixes
> this, it would be to not have an audit backlog wait time if audit has never been
> enabled. We have to be careful to consider audit never enabled, audit disabled
> but previously enabled, and audit enabled.
> 
> HTH...
> 
> -Steve