On 16/02/11, Max Timchenko wrote: > On Wed, Feb 10, 2016 at 9:30 PM, Richard Guy Briggs <[email protected]> wrote: > > > On 16/02/10, Max Timchenko wrote: > > > Has anyone tried that before? What would actually happen if two different > > > audit clients tried to use the same interface to the audit subsystem in > > the > > > kernel? > > > > With recent changes upstream, the second would be denied with -EEXIST. > > > > Before that, the older one would be starved out. And versions even > > older might actually have the newer one orphaned in the very occasional > > race where the older one shuts down after the second one starts. > > > > To quote Highlander, "There Can Be Only One". > > Thanks Richard and Paul for your quick responses. It's great to hear > that support for containers is being worked on. > > I have read the docs on audispd(8) - is it something auditd and the > other client could use to enable multiple access? It sounds like > audispd does support multiple clients, but I would guess all clients > would have to use the audispd plugin interface instead of the usual > kernel API. > > What is missing from the documentation for me is the relationship > between audispd and auditd - whether audispd is an optional component > of auditd that can run concurrently, or audispd is a replacement of > auditd when configured (and then auditd cannot run on the same machine > without running into the same multi-client issues).
I will defer to Steve Grubb on this quesition as the userspace tools are his domain of expertise. > Yours, > -- > Max - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
