> -----邮件原件----- > 发件人: Steve Grubb [mailto:sgr...@redhat.com] > 发送时间: 2019年9月19日 10:34 > 收件人: Li,Rongqing <lirongq...@baidu.com> > 抄送: Paul Moore <p...@paul-moore.com>; linux-audit@redhat.com > 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed > > On Thu, 19 Sep 2019 01:50:05 +0000 > "Li,Rongqing" <lirongq...@baidu.com> wrote: > > > No need knobs, auditctl can change the backlog length and wait time. > > And it is helpless to change the backlog length if auditd is hung > > forever, as a task can be hung forever due to disk/filesystem's > > abnormal, etc > > > > I am saying the audit default behaviors which is changed, I truly meet > > the issue as description of the below commit, if we can make change, > > other can avoid this issue. > > I'd like to offer an opinion because this a long term issue that we have faced > and what exists is the result of having to meet certain requirements. > > If the machine boots with audit=0, which I think is default, then the end user > has no expectation of audit ever being in use. Audit events may be discarded > if > the backlog fills up. > > If however the machine boots with audit=1, then the user is expecting that > there will eventually be an audit daemon and they want all events. > All of them without fail. So, we have to take all measures to deliver those > events because this is required by common criteria as well as other security > standards such as PCI-DSS. >
Ok, I see Thanks -RongQing > So, there are 2 paths. One which does not care about audit and one that does. > The original behavior did not meet requirements. If there is any patch that > fixes > this, it would be to not have an audit backlog wait time if audit has never > been > enabled. We have to be careful to consider audit never enabled, audit disabled > but previously enabled, and audit enabled. > > HTH... > > -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
