[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit Dispatcher Design

On Thu, 08 Sep 2005 09:35:32 EDT, Steve Grubb said:

> What can you say about error handling other than it must be correct? auditd is
> not going away. It will be the method for reliable logging. audisp is going
> to be best effort at this point. For example, if you use remote logging
> should the machine stop if the network goes down? Should it queue them and
> transfer when the network is up? What if the queue fills to capacity? If the
> remote logger's disk is full, should all machines on the network go to admin
> mode? That'll be a bummer. I don't think we want to face all these issues and
> claim 100% guarantee at this point.

I can't speak for others, but I can certainly live with best-effort for audisp,
as long as I can still configure auditd so we guarantee it locks up if we can't
generate at least *one* reliable log.

How much can we do for reliable *detection* of failure on audisp's part? For
instance, use a TCP connection, and syslog or something if we see an
EWOULDBLOCK (I know, not perfect, as it won't actually trip until we've sent
at least a window's worth of data if the other end glorbles up - but probably
good enough for my needs, and as good as it gets without an explicit ACK)....

Attachment: pgpJOGBTrz2b9.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]