[PATCH] audit: allow unlimited backlog queue

Richard Guy Briggs rgb at redhat.com
Tue Jan 14 22:59:16 UTC 2014 

Since audit can already be disabled by "audit=0" on the kernel boot line, or by
the command "auditctl -e 0", it would be more useful to have the
audit_backlog_limit set to zero mean effectively unlimited (limited only by
system resources).

Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
---

Steve,

These are userspace source code documentation changes in what's going in
upstream.  See:
	audit: allow unlimited backlog queue
git://toccata2.tricolour.ca/linux-2.6-rgb.git
https://lkml.org/lkml/2013/10/22/356
https://www.redhat.com/archives/linux-audit/2013-October/msg00029.html

 trunk/docs/auditctl.8 |    2 +-
 trunk/src/auditctl.c  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8
index 0ee1a83..dbb911d 100644
--- a/trunk/docs/auditctl.8
+++ b/trunk/docs/auditctl.8
@@ -8,7 +8,7 @@ The \fBauditctl\fP program is used to control the behavior, get status, and add
 .SH OPTIONS
 .TP
 .BI \-b\  backlog
-Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
+Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.  Setting this to "0" (which is dangerous) implies an unlimited queue, limited only by system resources.
 .TP
 \fB\-e\fP [\fB0\fP..\fB2\fP]
 Set enabled flag. When \fB0\fP is passed, this can be used to temporarily disable auditing. When \fB1\fP is passed as an argument, it will enable auditing. To lock the audit configuration so that it can't be changed, pass a \fB2\fP as the argument. Locking the configuration is intended to be the last command in audit.rules for anyone wishing this feature to be active. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.
diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
index 325b0a7..5b544a1 100644
--- a/trunk/src/auditctl.c
+++ b/trunk/src/auditctl.c
@@ -107,7 +107,7 @@ static void usage(void)
      "    -a <l,a>            Append rule to end of <l>ist with <a>ction\n"
      "    -A <l,a>            Add rule at beginning of <l>ist with <a>ction\n"
      "    -b <backlog>        Set max number of outstanding audit buffers\n"
-     "                        allowed Default=64\n"
+     "                        allowed. Default=64 Unlimited=0(dangerous)\n"
      "    -c                  Continue through errors in rules\n"
      "    -C f=f              Compare collected fields if available:\n"
      "                        Field name, operator(=,!=), field name\n"
-- 
1.7.1

More information about the Linux-audit mailing list