Handling disk full & No Kernel resources
Steve Grubb
sgrubb at redhat.com
Wed Jan 5 17:55:11 UTC 2005
On Wednesday 05 January 2005 12:10, Valdis.Kletnieks at vt.edu wrote:
> (I'm assuming that most sane auditors would have a cow if they found that
> the audit system didn't record things like "audit file truncated/wrapped"
> and similar events).
The audit daemon can't wrap files.
> Probably some hand-waving needs to happen, figuring out how many audit
> records we generate for various methods of clearing the problem, and
> actually send the AUDIT_SUSPEND when there's still enough space in the
> current log to write the records.
You should be able to do this. There's a config parameter space_left_action
which lets you tell it what you want it to do.
> We may also need to pre-allocate disk space for the logfiles
> (with 'dd if=/dev/zero count=N bs=4k' or similar, because otherwise
> we can still deadlock if we're logging to /var and somebody else
> snarfs up that last 4K block of free disk after we've send
> AUDIT_SUSPEND but before we actually do something that generates
> the records....
The log file descriptor is opened in the append mode as a safety precaution. I
would recommend that anyone this paranoid should log to a partition set aside
just for audit logs.
-Steve Grubb
More information about the Linux-audit
mailing list