Handling disk full & No Kernel resources

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Jan 5 17:10:45 UTC 2005


On Wed, 05 Jan 2005 09:09:14 CST, Mounir Bsaibes said:

> Whenever the disk full (or log reached its limit)  is detected the
> auditd sends an AUDIT_SUSPEND message to the kernel. On receipt of
> this message the kernel will set a flag "disk_full_flag".   If this
> disk_full_flag  is set audit_log_start will call audit_suspend to
> queue the process in a wait queue. Whenever the disk_full_flag is
> reset all the processes in the wait queue will be rescheduled.

Actually, you need to play some *very* careful games here to prevent
a deadlock - there isn't any action that you can take to *clear* the
'disk/log full' situation that shouldn't itself generate audit records.
(I'm assuming that most sane auditors would have a cow if they found that
the audit system didn't record things like "audit file truncated/wrapped"
and similar events).

Probably some hand-waving needs to happen, figuring out how many audit
records we generate for various methods of clearing the problem, and actually
send the AUDIT_SUSPEND when there's still enough space in the current log
to write the records.  We may also need to pre-allocate disk space for the
logfiles (with 'dd if=/dev/zero count=N bs=4k' or similar, because otherwise
we can still deadlock if we're logging to /var and somebody else snarfs up
that last 4K block of free disk after we've send AUDIT_SUSPEND but before
we actually do something that generates the records....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050105/73d63c34/attachment.sig>


More information about the Linux-audit mailing list