audit 0.9.12 released
David Woodhouse
dwmw2 at infradead.org
Thu Jun 23 13:49:34 UTC 2005
On Thu, 2005-06-23 at 07:19 -0400, Steve Grubb wrote:
>
> Not sure. David, have you played with the latest auditctl and checked
> everything out? For example, I just tried this and hung the machine:
>
> auditctl -a watch,never -F loginuid=-1
> auditctl -a entry,always -S all
>
> It locked up the machine solid. No flashing disk lights and caps lock
> key didn't toggle light.
I've reproduced something similar, although the machine is far from
'hung'. It seems there was still a case where auditd could still be
audited. So all userspace processes will be waiting a minute for every
syscall they make, because the backlog timeout happens.
If you're running X, that would explain the lack of caps lock. Don't
test with X running unless you have a serial console.
I'm testing a fix for this now...
--
dwmw2
More information about the Linux-audit
mailing list