Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Dec 2006 09:51:50 -0700
From:      John E Hein <jhein@timing.com>
To:        Doug Barton <dougb@FreeBSD.org>
Cc:        Robert Watson <rwatson@FreeBSD.org>, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/etc/rc.d auditd
Message-ID:  <17784.18086.947589.606142@gromit.timing.com>
In-Reply-To: <4577586A.2010009@FreeBSD.org>
References:  <200609241731.k8OHV5mZ053132@repoman.freebsd.org> <45775157.4030900@FreeBSD.org> <20061206233112.X65418@fledge.watson.org> <4577586A.2010009@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Doug Barton wrote at 15:55 -0800 on Dec  6, 2006:
 > Robert Watson wrote:
 > > 
 > > On Wed, 6 Dec 2006, Doug Barton wrote:
 > > 
 > >>>   Sleep for one second after calling audit -t to give the audit daemon a
 > >>>   chance to actually terminate the audit service and exit. 
 > >>> Otherwise, on
 > >>>   an rc.d/auditd restart, the new audit daemon instance may try to start
 > >>>   auditing while the previous session is still running.  Likewise, this
 > >>>   ensures a chance for auditd to terminate the audit trail at system
 > >>>   shutdown.
 > >>>
 > >>>   Perhaps more ideally, the script would wait synchronously for
 > >>> auditd to
 > >>>   exit rather than for an arbitrary but short period of time.
 > >>
 > >> Perhaps a better change would be:
 > >>
 > >> /usr/sbin/audit -t while : ; do).
 > >>     if <something that indicates audit is not dead yet>; then
 > >>         echo 'Waiting for the audit system to terminate'
 > >>         sleep 1
 > >>     else
 > >>         break
 > >>     fi
 > >> done
 > > 
 > > Is there a built-in mechanism in rc.d to wait for a process to exit? 
 > 
 > There is wait_for_pids(), which combined with pgrep could possibly
 > work for you. Since I wasn't sure what your parameters are, the
 > mechanism above is generic enough to work with anything.
 > 
 > > We'd like to wait for auditd to exit, specifically, as a sign that
 > > auditing really is terminated.  
 > 
 > Then what you probably want (untested) is something like
 > 
 > /usr/sbin/audit -t
 > wait_for_pids `pgrep -d' ' auditd`
 > 
 > hth,
 > 
 > Doug

Another option is to start auditd behind lockf.  To determine whether
auditd has exited, check for the lock file (put it in /var/run).

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17784.18086.947589.606142>