[SOLVED] Re: Clear kernel audit buffer?
Aaron Lewis
the.warl0ck.1989 at gmail.com
Thu Jan 16 16:21:38 UTC 2014
Thanks Steve & Richard, I get it.
On Tue, Jan 14, 2014 at 10:47 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 14/01/14, Steve Grubb wrote:
>> On Tuesday, January 14, 2014 01:09:52 PM Aaron Lewis wrote:
>> > Yes, I did run auditctl -D to clear all rules. And during testing I
>> > have enlarged the buffer queue to 10240 messages.
>> >
>> > Did you mean that once -D is issued, the buffer will be cleared by
>> > auditd, but not by linux kernel?
>>
>> There is no way to directly clear the in kernel buffer. The audit system is
>> supposed to keep events for disposition. If there was a simple command to dump
>> events, that would be a simple way to circumvent detection. So, the best way
>> to drain the queues is to give auditd more priority so it runs more often and
>> longer before its time slice is up. You don't need to log to disk. But
>> something has to read the events to get them out.
>
> What Steve said.
>
> The -D option has nothing directly to do with the queue. It simply
> shuts off most of the the taps filling your sink. You still need to
> drain the sink after it has filled/overflowed.
>
>> -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
More information about the Linux-audit
mailing list