adding syscall rules
Timothy R. Chavez
tinytim at us.ibm.com
Wed Jun 8 21:24:52 UTC 2005
On Wednesday 08 June 2005 16:10, Amy Griffis wrote:
> Hello,
>
> I've noticed some odd behavior when adding medium to large numbers of
> syscall rules. I'm doing my testing on an ia64 system with the
> audit.56 kernel and the audit-0.9.2 package.
>
> When adding the 31st rule, the 'No watches' message is not printed
> following the auditctl command to add the rule, or any subsequent
> auditctl -l calls. This seems to happen for any number of rules
> greater than 30.
>
> When the 61st rule is added, it does not appear in the rules list when
> adding the rule, or any following auditctl -l calls. 60 seems to be
> the maximum number of rules that can be listed. I do see an 'added an
> audit rule' message in the audit log for the 61st rule, and can
> generate audit records from it.
>
> After adding the 116th rule, I can no longer delete all the rules with
> auditctl -D. In fact, the command appears to hang, with no output
> going to the audit log. If I bring the number of rules down to 115,
> then -D will work again.
I've seen similar problems with watches (when inserting and triggering
them immediately after). I've yet to hear of or see a solution to this
problem. But, I know Steve had commented earlier on the hard limit of
30 phenomena and a fix for it.
Is there any way you can join the IRC channel (irc.freenode.net/6667)
#audit -- We're mostly all there in the late morning between 10 - 12 CST.
-tim
More information about the Linux-audit
mailing list