adding syscall rules
Amy Griffis
amy.griffis at hp.com
Wed Jun 8 21:10:20 UTC 2005
Hello,
I've noticed some odd behavior when adding medium to large numbers of
syscall rules. I'm doing my testing on an ia64 system with the
audit.56 kernel and the audit-0.9.2 package.
When adding the 31st rule, the 'No watches' message is not printed
following the auditctl command to add the rule, or any subsequent
auditctl -l calls. This seems to happen for any number of rules
greater than 30.
When the 61st rule is added, it does not appear in the rules list when
adding the rule, or any following auditctl -l calls. 60 seems to be
the maximum number of rules that can be listed. I do see an 'added an
audit rule' message in the audit log for the 61st rule, and can
generate audit records from it.
After adding the 116th rule, I can no longer delete all the rules with
auditctl -D. In fact, the command appears to hang, with no output
going to the audit log. If I bring the number of rules down to 115,
then -D will work again.
On a related note, I've been working on putting together a default
CAPP configuration that can be loaded via auditctl, similar to LAuS's
filter.conf file. Has anyone else been working on this? Are there
plans to provide something like this?
Thanks,
Amy
More information about the Linux-audit
mailing list