diff options
author | Ashlee Young <ashlee@wildernessvoice.com> | 2016-01-20 01:10:01 +0000 |
---|---|---|
committer | Ashlee Young <ashlee@wildernessvoice.com> | 2016-01-20 01:10:11 +0000 |
commit | 19d701ddf07d855128ded0cf2b573ce468e3bdd6 (patch) | |
tree | 0edcd3461ca903c76e431bb7c6348c42a0f12488 /framework/src/audit/audisp/plugins/remote/notes.txt | |
parent | fac6fbefbfad1cf837ddd88bc0d330559c8eb6f9 (diff) |
Removing Suricata and Audit from source repo, and updated build.sh to avoid building suricata. Will re-address this in C release via tar balls.
Change-Id: I3710076f8b7f3313cb3cb5260c4eb0a6834d4f6e
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/audisp/plugins/remote/notes.txt')
-rw-r--r-- | framework/src/audit/audisp/plugins/remote/notes.txt | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/framework/src/audit/audisp/plugins/remote/notes.txt b/framework/src/audit/audisp/plugins/remote/notes.txt deleted file mode 100644 index 1cd46193..00000000 --- a/framework/src/audit/audisp/plugins/remote/notes.txt +++ /dev/null @@ -1,31 +0,0 @@ -The queue data structure can keep data only in memory, only on disk -(writing it to disk and reading from disk), or in both (writing everything -to disk, but reading from disk only data stored in a previous run). -audisp-remote will use the last option for performance. - -The queue file format starts with a fixed header, followed by an array -of slots for strings. Due to the fixed size of each slot the file format -is rather inefficient, but it is also very simple. - -The file is preallocated and the string slots will be aligned to a 4KB -boundary, so it should be necessary to only write one block to disk -when audisp-remote receives a (short) audit record. - -With the default queue size of 200 items the file will be about 2.4 -megabytes large, which is probably not really worth worrying about. - -If necessary, the space utilization could be improved by storing strings -consecutively instead of using pre-arranged slots. - -The queue file format is intended to be resilient against unexpected -termination of the process, and should be resilient against unexpected -system crash as long as the OS does not reorder writes (the string data -is written before the header that indicates that it is present) - but -ultimately resiliency against such failures is limited by other -links in the audit record transmission chain - if the record is lost -within auditd or audispd, having a resilient queue file format does -not help; audit records generated within the kernel are necessarily -lost if the system crashes before they are read by auditd because -the kernel will not be able to regenerate/retransmit them after the next -boot. - |