When do audit log calls fail?
Kenan Avdic
kenan.avdic at link22.se
Wed Sep 18 06:48:49 UTC 2013
Hello,
We've recently started using audit instead of syslog for reliability
purposes (acknowledged logging). I'm trying to establish when the
various audit_log_* system calls fail, particularly audit_log_user_message.
Basically what we're after is a way of being sure that a message that
was sent for logging is "comitted", and react in some way if it is not.
We're using audit_log_user_message but this function never fails (i.e.
returns <=0, per manpage), even e.g. if the audit daemon is down. From
reading the source code it seems the only way for it to fail is when the
kernel is lacking support for auditing (or is too old or similar).
My conclusion, given the above assumption, is that these functions do
not provide a way to ascertain that a message is actually logged from
the system call, and that decisions about failed logging have to be made
by the daemon. Is there any other way to check what happens with a log
message once its sent using e.g. audit_log_user_message?
Thanks,
/Kenan
--
Kenan Avdic
link22 AB
Brigadgatan 1
587 58 Linköping, Sweden
kenan.avdic at link22.se
tel: +46 707 75 77 61
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2266 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130918/52579485/attachment.p7s>
More information about the Linux-audit
mailing list