suspending a process when audit resource are not available
Chris Wright
chrisw at osdl.org
Wed Dec 15 02:56:47 UTC 2004
* Mounir Bsaibes (bsaibes at us.ibm.com) wrote:
> One of the CAPP requirements and probably the LSPP as well is when audit
> records cannot be generated, for a particular process, the process need to
> be halted. the current audit system, depending on the failure flag can
> either, 1) do nothing 2) print a kernel message or 3) issue a panic. I am
> thinking of adding a 4) option for the failure flag to suspend the
> process. If the failure flag is set to "suspend" and the audit_log_lost
> function is called the process will be suspended by issuing a sigsuspend
> call.
This adds a requirement to the calling location, namely that it can
sleep. I don't think that requirement is safe without some code
auditing. Also, I don't recall that all audit_log_lost callers are in
the relevant context.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
More information about the Linux-audit
mailing list