• E
    Audit: save audit_backlog_limit audit messages in case auditd comes back · f3d357b0
    Eric Paris 提交于
    This patch causes the kernel audit subsystem to store up to
    audit_backlog_limit messages for use by auditd if it ever appears
    sometime in the future in userspace.  This is useful to collect audit
    messages during bootup and even when auditd is stopped.  This is NOT a
    reliable mechanism, it does not ever call audit_panic, nor should it.
    audit_log_lost()/audit_panic() are called during the normal delivery
    mechanism.  The messages are still sent to printk/syslog as usual and if
    too many messages appear to be queued they will be silently discarded.
    
    I liked doing it by default, but this patch only uses the queue in
    question if it was booted with audit=1 or if the kernel was built
    enabling audit by default.
    Signed-off-by: NEric Paris <eparis@redhat.com>
    Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
    f3d357b0
audit.c 38.8 KB