user message limits
LC Bruzenak
lenny at magitekltd.com
Mon Jun 8 22:08:33 UTC 2009
On Wed, 2009-01-28 at 12:15 -0500, Steve Grubb wrote:
> On Tuesday 27 January 2009 07:01:08 pm LC Bruzenak wrote:
> > Even when I get a successful return value (from audit_log_user_message),
> > I don't get my string back out in "ausearch" unless it is WAY smaller -
> > ~1K or less I think.
> >
> > Any ideas/thoughts?
>
> I tested like this:
>
> auditctl -m `perl -e '{print "A"x"2048"}'`
>
> and found its getting cutoff just under 1K. So, I checked the kernel code and
> found this:
>
> 761 if (msg_type != AUDIT_USER_TTY)
> 762 audit_log_format(ab, " msg='%.1024s'",
> 763 (char *)data);
> 764 else {
>
> Offhand, I don't remember why the kernel sets the limit so low. It could be
> bumped some. How much, I don't know. 4K or 8K would seem fine.
>
> -Steve
I apologize in advance, but I've lost the bubble on input event length.
Is there a plan for the kernel to allow bigger buffers in to be audited?
As of my current one (2.6.29.4-75.fc10) I'm still in the same ~900 byte
range.
To me, it seems that an increase would be automatically
backward-compatible. The "dropoff" point would just extend out a ways...
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list