Fw: Audit record emission
Linda Knippers
linda.knippers at hp.com
Thu May 5 21:26:56 UTC 2005
>>> I'm curious because on my system, I can lose audit records without much load
>>> at all, but I'm running the default auditd.conf.
>
> What version are you using and what is your priority_boost setting?
I'm using the 0.7.3-1 user-space tools and the .28 kernel. I'm using
the default auditd.conf file, which has priority_boost = 3.
I was doing something a bit unusual. I was running some manual tests
with audit rules that audit all syscalls with my uid and it was working
fine until I forgot to turn it off before locking my X session. At
that point, the screen saver did stuff like close every possible
file descriptor, as far as I can tell from the log, so between locking
the session and restarting it, I lost hundreds of records.
I can usually, but not always, reproduce record loss with a program
similar to one of Kris' tests, but with fewer than 200 iterations.
I haven't tried fooling with the auditd.conf parameters yet, so I
was curious about the stress.conf file.
-- ljk
More information about the Linux-audit
mailing list