On Thu, 08 Sep 2005 09:35:32 EDT, Steve Grubb said: > What can you say about error handling other than it must be correct? auditd is > not going away. It will be the method for reliable logging. audisp is going > to be best effort at this point. For example, if you use remote logging > should the machine stop if the network goes down? Should it queue them and > transfer when the network is up? What if the queue fills to capacity? If the > remote logger's disk is full, should all machines on the network go to admin > mode? That'll be a bummer. I don't think we want to face all these issues and > claim 100% guarantee at this point. I can't speak for others, but I can certainly live with best-effort for audisp, as long as I can still configure auditd so we guarantee it locks up if we can't generate at least *one* reliable log. How much can we do for reliable *detection* of failure on audisp's part? For instance, use a TCP connection, and syslog or something if we see an EWOULDBLOCK (I know, not perfect, as it won't actually trip until we've sent at least a window's worth of data if the other end glorbles up - but probably good enough for my needs, and as good as it gets without an explicit ACK)....
Description: PGP signature