<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I'm having trouble getting my "audit_backlog_limit" boot
parameter accepted. <br>
</p>
<p>I have the following 2 audit parameters on my boot line:</p>
<p>audit=1</p>
<p>audit_backlog_limit=8192</p>
<p>My /proc/cmdline shows them both once booted up.</p>
<p>But I'm not getting the audit_backlog_limit applied to the kernel
audit startup. I have a auditctl -b 8192 that runs from the
audit.rules, and the resulting CONFIG_change event shows
"...audit_backlog_limit=8192, old=64...".</p>
<p>After startup I run:</p>
<p># auditctl -s</p>
<p>and see that I've lost 93 events.</p>
<p><br>
</p>
<p>Looking at the kernel code, I see that if the "audit=1" value is
set, it should print:</p>
<p>"enabled (after initialization)" , which I see in both dmesg and
/var/log/messages, <br>
</p>
<p>The second one (audit_backlog_limit=8192) should output IIUC:<br>
</p>
<span class="pl-c1"></span><span class="pl-s"><span class="pl-pds">"</span>audit_backlog_limit:
<span class="pl-pds">"</span></span> , which I don't see
anywhere.
<p>It's as if the parameter is being ignored. I've tried moving it
to a different spot so it isn't the last on the line, etc.
Nothing. <br>
</p>
<p>I stumbled on this because I'm not seeing the "SYSTEM_BOOT"
events anymore; I suspect they are in the missing ones.<br>
</p>
<p>Pretty sure I don't have a typo; I've put it into the grub config
and run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from
that. Again, the parameter is there in /proc/cmdline but doesn't
seem to be accepted. No warnings about it either AFAICT.</p>
<p>RHEL7.6, kernel 3.10.0-957 </p>
<p>Don't think the audit userspace version makes much difference,
but it is 2.8.5.</p>
<p>Thanks in advance,</p>
<p>LCB<br>
</p>
<pre class="moz-signature" cols="72">--
Lenny Bruzenak
MagitekLTD</pre>
</body>
</html>