[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit audtid's syscall?

On Thursday 03 February 2005 08:29, Junji Kanemaru wrote:
> I wonder if it is needed to audit auditd's syscalls. 

This is configurable by the auditctl rules. If the system admin wants it, he 
can get it. If not, he can add a rule not to log it.

> For example if I want to audit like "write,always -S all" then auditd 
> writes log and it causes another write call and it causes audit to log and
> it causes auditd writes log and so on...

I think this is expected.

> I briefly looked into kernel audit code but there's no check(I could be
> wrong). In some extreme situation it will cause kernel panic in kernel 
> audit code 'cuz no memory. Try "exit,always -S all".

I think Chris added a patch that helps a little with out of memory conditions. 
There is also other audit subsystem control parameters to let you limit the 
rate at which packets are sent and how many buffers it should setup.

> So, I'd like to suggest that 1)we should have some option to disable
> audit for auditd's pid 

auditctl -a entry,never -S all -F pid=XXXX

This rule should be at the top of the list. I believe they are "executed" from 
top to bottom like iptables does.

> 2)add option to use netlink_broadcast for kernel 
> audit error log instead of printk(KERN_ERR) because printk(KERN_ERR)
> causes syslog write.

I don't want the audit log polluted with kernel error messages. I think they 
belong in syslog.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]