Clear kernel audit buffer?
Aaron Lewis
the.warl0ck.1989 at gmail.com
Tue Jan 14 05:09:52 UTC 2014
Hi Richard,
Thanks for the quick reply.
Yes, I did run auditctl -D to clear all rules. And during testing I
have enlarged the buffer queue to 10240 messages.
Did you mean that once -D is issued, the buffer will be cleared by
auditd, but not by linux kernel?
On Tue, Jan 14, 2014 at 3:24 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 13/12/26, Aaron Lewis wrote:
>> Hi,
>>
>> I'm doing a stress test on auditd, so I add a rule to monitor "open"
>> syscall, then I use a c program to generate massive amount of logs.
>> The program finished and exited.
>>
>> But I generated too much, if I kill auditd and start it again, I can
>> still see a lot of type=SYSCALL logs. (But not CWD or PATH)
>>
>> Can I clear the existing buffer?
>
> Did you remove the rule that caused the massive amount of logging?
>
> Auditd will drain that buffer. The default is a queue of 64 messages,
> which should drain reasonably quickly if the rule has been removed and
> the queue length hasn't been overridden to a huge value. Otherwise,
> there is no other way to drain that buffer.
>
>> Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
More information about the Linux-audit
mailing list