[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Handling disk full & No Kernel resources

On Wed, 05 Jan 2005 09:09:14 CST, Mounir Bsaibes said:

> Whenever the disk full (or log reached its limit)  is detected the
> auditd sends an AUDIT_SUSPEND message to the kernel. On receipt of
> this message the kernel will set a flag "disk_full_flag".   If this
> disk_full_flag  is set audit_log_start will call audit_suspend to
> queue the process in a wait queue. Whenever the disk_full_flag is
> reset all the processes in the wait queue will be rescheduled.

Actually, you need to play some *very* careful games here to prevent
a deadlock - there isn't any action that you can take to *clear* the
'disk/log full' situation that shouldn't itself generate audit records.
(I'm assuming that most sane auditors would have a cow if they found that
the audit system didn't record things like "audit file truncated/wrapped"
and similar events).

Probably some hand-waving needs to happen, figuring out how many audit
records we generate for various methods of clearing the problem, and actually
send the AUDIT_SUSPEND when there's still enough space in the current log
to write the records.  We may also need to pre-allocate disk space for the
logfiles (with 'dd if=/dev/zero count=N bs=4k' or similar, because otherwise
we can still deadlock if we're logging to /var and somebody else snarfs up
that last 4K block of free disk after we've send AUDIT_SUSPEND but before
we actually do something that generates the records....

Attachment: pgp00001.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]