About "tcp_client_max_idle" in /etc/audit/auditd.conf
Steve Grubb
sgrubb at redhat.com
Fri Dec 26 12:47:53 UTC 2008
On Friday 26 December 2008 02:07:56 am Chu Li wrote:
> When reading manpage of auditd.conf, I found "heartbeat" in the
> explanation of " tcp_client_max_idle". But in the manpage of
> audisp-remote.conf there is no description about it.
I think it was assumed that an admin that is setting this up will read both
man pages since both ends need some adjustments.
> How to use "tcp_client_max_idle" and what is "heartbeat"?
This is a message being passed back and forth so that each end knows the other
is still alive. If one end segfaults, for example, it won't send a tcp close
and the connection can linger for a while. This lets each end decide that the
other is not working properly and then take admin selected actions.
> What will happen if "tcp_client_max_idle" and "heartbeat" is not set as
> zero?
Then it will perform the heart beat protocol with the max idle seconds being
the deciding factor.
I can add some explanation to the man pages.
-Steve
More information about the Linux-audit
mailing list