audit 0.9.12 released

David Woodhouse dwmw2 at infradead.org
Thu Jun 23 13:49:34 UTC 2005


On Thu, 2005-06-23 at 07:19 -0400, Steve Grubb wrote:
> 
> Not sure. David, have you played with the latest auditctl and checked 
> everything out? For example, I just tried this and hung the machine:
> 
> auditctl -a watch,never -F loginuid=-1
> auditctl -a entry,always -S all
> 
> It locked up the machine solid. No flashing disk lights and caps lock
> key didn't toggle light.

I've reproduced something similar, although the machine is far from
'hung'. It seems there was still a case where auditd could still be
audited. So all userspace processes will be waiting a minute for every
syscall they make, because the backlog timeout happens. 

If you're running X, that would explain the lack of caps lock. Don't
test with X running unless you have a serial console.

I'm testing a fix for this now...

-- 
dwmw2




More information about the Linux-audit mailing list