On Wed, 05 Jan 2005 09:09:14 CST, Mounir Bsaibes said: > Whenever the disk full (or log reached its limit) is detected the > auditd sends an AUDIT_SUSPEND message to the kernel. On receipt of > this message the kernel will set a flag "disk_full_flag". If this > disk_full_flag is set audit_log_start will call audit_suspend to > queue the process in a wait queue. Whenever the disk_full_flag is > reset all the processes in the wait queue will be rescheduled. Actually, you need to play some *very* careful games here to prevent a deadlock - there isn't any action that you can take to *clear* the 'disk/log full' situation that shouldn't itself generate audit records. (I'm assuming that most sane auditors would have a cow if they found that the audit system didn't record things like "audit file truncated/wrapped" and similar events). Probably some hand-waving needs to happen, figuring out how many audit records we generate for various methods of clearing the problem, and actually send the AUDIT_SUSPEND when there's still enough space in the current log to write the records. We may also need to pre-allocate disk space for the logfiles (with 'dd if=/dev/zero count=N bs=4k' or similar, because otherwise we can still deadlock if we're logging to /var and somebody else snarfs up that last 4K block of free disk after we've send AUDIT_SUSPEND but before we actually do something that generates the records....
Description: PGP signature