From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: auditd restart atomic? Date: Tue, 7 Feb 2017 10:05:49 -0500 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v17F5q2k030203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 7 Feb 2017 10:05:52 -0500 Received: from mail-vk0-f50.google.com (mail-vk0-f50.google.com [209.85.213.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D55AD369C4 for ; Tue, 7 Feb 2017 15:05:51 +0000 (UTC) Received: by mail-vk0-f50.google.com with SMTP id r136so79537076vke.1 for ; Tue, 07 Feb 2017 07:05:50 -0800 (PST) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Chris Nandor Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor wrote: > If I restart auditd, can it lose (not record to the logs) events that happen > during the restart? Or is the restart (and reload of new rules) essentially > atomic? The kernel maintains a backlog queue of audit records when auditd is not running and attempts to (re)send those records when auditd is started. However, the backlog queue size is fixed and it is possible to overflow the queue; if that happens a message will be sent to the kernel's ring buffer (dmesg). -- paul moore www.paul-moore.com