audit 1.2.7 released
Karl MacMillan
kmacmill at redhat.com
Thu Sep 21 19:43:50 UTC 2006
On Wed, 2006-09-20 at 15:40 -0400, Steve Grubb wrote:
> On Wednesday 20 September 2006 15:26, Paul Moore wrote:
> > > I try very hard to not have any memory allocations in the audit system to
> > > prevent any possible failure due to fragmentation or leaks. I need to cap
> > > the buffer size at something to meet this design goal.
> >
> > If this buffer limitation results in the loss or partial-loss of an
> > audit record is there some notification sent?
>
> No.
>
> > This seems like an excellent way for an individual to obscure their actions
> > on a system.
>
> Well, the particular buffer that Amy cited was 128 in size and only for
> startup/shutdown messages. It has been increased to 384. The other buffer
> that holds the events from syscall, file system, and trusted apps was 8460
> and is now 8970.
>
There are very few limits on the size of contexts, though, and any heavy
use of MLS / MCS categories could make the average context size grow
quickly. Granted this is controllable by policy and, presumably,
solvable by an admin.
Karl
More information about the Linux-audit
mailing list