[PATCH][RFC] audit: set wait time to zero when audit failed

Richard Guy Briggs rgb at redhat.com
Thu Sep 19 14:04:59 UTC 2019 

On 2019-09-18 22:33, Steve Grubb wrote:
> On Thu, 19 Sep 2019 01:50:05 +0000
> "Li,Rongqing" <lirongqing at baidu.com> wrote:
> 
> > No need knobs, auditctl can change the backlog length and wait time.
> > And it is helpless to change the backlog length if auditd is hung
> > forever, as a task can be hung forever due to disk/filesystem's
> > abnormal, etc
> > 
> > I am saying the audit default behaviors which is changed, I truly
> > meet the issue as description of the below commit, if we can make
> > change, other can avoid this issue.
> 
> I'd like to offer an opinion because this a long term issue that we
> have faced and what exists is the result of having to meet certain
> requirements.
> 
> If the machine boots with audit=0, which I think is default, then the
> end user has no expectation of audit ever being in use. Audit events
> may be discarded if the backlog fills up.

In fact, the default is neither explicit audit=0 nor audit=1.  The case
above is the default where the audit subsystem is inactive until an
audit daemon registers with the kernel.  In the case of an explicit
kernel command line of audit=0, audit is disabled until reboot and a
daemon cannot register.

> If however the machine boots with audit=1, then the user is expecting
> that there will eventually be an audit daemon and they want all events.
> All of them without fail. So, we have to take all measures to deliver
> those events because this is required by common criteria as well as
> other security standards such as PCI-DSS.
> 
> So, there are 2 paths. One which does not care about audit and one
> that does. The original behavior did not meet requirements. If there is
> any patch that fixes this, it would be to not have an audit backlog
> wait time if audit has never been enabled. We have to be careful to
> consider audit never enabled, audit disabled but previously enabled,
> and audit enabled.
> 
> HTH...
> 
> -Steve

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list