[redhat-lspp] what happens when something can't be audited?
Steve Grubb
sgrubb at redhat.com
Sat Feb 10 15:24:34 UTC 2007
On Friday 09 February 2007 11:46, Linda Knippers wrote:
> I updated the bugzilla to explain why and to point out that lots of
> trusted programs issue audit records at the completion of some operation
> (they include the results in the audit record) and don't undo the operation
> if issuing the audit record fails.
They should all open the audit socket before performing that operation. They
could call audit_status and see if the audit daemon is registered. But you
would have to have a command line option to tell the program that it should
treat the absence of an audit daemon in a way as to deny the requested
action. Not all users want this behavior.
> We could certainly change cupsd to fail to queue a job or to cancel a job if
> it can't be audited but what about the other programs?
The should all be fixed to do that I suppose. I can add a function to libaudit
that does the status check and returns yes or no if the audit daemon is
registered. Would this help?
-Steve
More information about the redhat-lspp
mailing list