File System Watch Limits
Steve Grubb
sgrubb at redhat.com
Thu Nov 3 15:31:07 UTC 2005
Hi,
Someone is trying to use the audit system's watch implementation. They have a
requirement to watch any changes to /lib & /user/lib and lots of other files.
At first they placed a watch on the directory thinking that it would get all
changes. I pointed out that that catches meta-data updates and could miss
some kinds of events on the files themselves. They created a shell script
that places an audit rule for each file in the directory.
At about 4500 files this quit working. The events aren't generated and
auditctl -l stops listing rules. By their estimate, they need to watch
approximately 90,000 files. 4500 falls far short of what's required.
Anyone have ideas about how to handle this kind of situation? I think we need
an elegant way to handle this.
-Steve
More information about the Linux-audit
mailing list