[redhat-lspp] what happens when something can't be audited?
Linda Knippers
linda.knippers at hp.com
Fri Feb 9 16:46:33 UTC 2007
In this bugzilla, Eduardo has accurately described the behavior of cups if
auditd is running when cupsd starts up but auditd is stopped afterwards.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227889
He was expecting cupsd to stop printing (not an unreasonable expectation)
but it does not.
I updated the bugzilla to explain why and to point out that lots of
trusted programs issue audit records at the completion of some operation
(they include the results in the audit record) and don't undo the operation
if issuing the audit record fails. We could certainly change cupsd to
fail to queue a job or to cancel a job if it can't be audited but what
about the other programs?
I know we talked about this alot when the audit failure action
routine was added the libaudit but the requirements were never
very clear.
-- ljk
More information about the redhat-lspp
mailing list