cvs commit: src/etc/rc.d auditd

John E Hein jhein at timing.com
Thu Dec 7 09:05:31 PST 2006


Doug Barton wrote at 15:55 -0800 on Dec  6, 2006:
 > Robert Watson wrote:
 > > 
 > > On Wed, 6 Dec 2006, Doug Barton wrote:
 > > 
 > >>>   Sleep for one second after calling audit -t to give the audit daemon a
 > >>>   chance to actually terminate the audit service and exit. 
 > >>> Otherwise, on
 > >>>   an rc.d/auditd restart, the new audit daemon instance may try to start
 > >>>   auditing while the previous session is still running.  Likewise, this
 > >>>   ensures a chance for auditd to terminate the audit trail at system
 > >>>   shutdown.
 > >>>
 > >>>   Perhaps more ideally, the script would wait synchronously for
 > >>> auditd to
 > >>>   exit rather than for an arbitrary but short period of time.
 > >>
 > >> Perhaps a better change would be:
 > >>
 > >> /usr/sbin/audit -t while : ; do).
 > >>     if <something that indicates audit is not dead yet>; then
 > >>         echo 'Waiting for the audit system to terminate'
 > >>         sleep 1
 > >>     else
 > >>         break
 > >>     fi
 > >> done
 > > 
 > > Is there a built-in mechanism in rc.d to wait for a process to exit? 
 > 
 > There is wait_for_pids(), which combined with pgrep could possibly
 > work for you. Since I wasn't sure what your parameters are, the
 > mechanism above is generic enough to work with anything.
 > 
 > > We'd like to wait for auditd to exit, specifically, as a sign that
 > > auditing really is terminated.  
 > 
 > Then what you probably want (untested) is something like
 > 
 > /usr/sbin/audit -t
 > wait_for_pids `pgrep -d' ' auditd`
 > 
 > hth,
 > 
 > Doug

Another option is to start auditd behind lockf.  To determine whether
auditd has exited, check for the lock file (put it in /var/run).


More information about the cvs-all mailing list