boot parameter question

Richard Guy Briggs rgb at redhat.com
Mon Jul 29 22:32:49 UTC 2019 

On 2019-07-25 19:52, Lenny Bruzenak wrote:
> I'm having trouble getting my "audit_backlog_limit" boot parameter
> accepted.
> 
> I have the following 2 audit parameters on my boot line:
> 
> audit=1
> 
> audit_backlog_limit=8192
> 
> My /proc/cmdline shows them both once booted up.
> 
> But I'm not getting the audit_backlog_limit applied to the kernel audit
> startup. I have a auditctl -b 8192 that runs from the audit.rules, and
> the resulting CONFIG_change event shows "...audit_backlog_limit=8192,
> old=64...".
> 
> After startup I run:
> 
> # auditctl -s
> 
> and see that I've lost 93 events.
> 
> 
> Looking at the kernel code, I see that if the "audit=1" value is set, it
> should print:
> 
> "enabled (after initialization)" , which I see in both dmesg and
> /var/log/messages,
> 
> The second one (audit_backlog_limit=8192) should output IIUC:
> 
> "audit_backlog_limit: "  , which I don't see anywhere.
> 
> It's as if the parameter is being ignored. I've tried moving it to a
> different spot so it isn't the last on the line, etc. Nothing.

It is being ignored because that kernel command line extension to the
original feature was never backported to RHEL7.

In hindsight, that would have been pretty useful without causing much
risk.  Normally feature backport is driven by customer demand.  There
was a bit of pushback when it was first introduced upstream, but this is
exactly the scenario I envisioned where it would be most useful.  It is
possible to compile your own kernel and change the default value, but
that's obviously a hurdle for most.

> I stumbled on this because I'm not seeing the "SYSTEM_BOOT" events
> anymore; I suspect they are in the missing ones.
> 
> Pretty sure I don't have a typo; I've put it into the grub config and
> run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from that.
> Again, the parameter is there in /proc/cmdline but doesn't seem to be
> accepted. No warnings about it either AFAICT.
> 
> RHEL7.6, kernel 3.10.0-957
> 
> Don't think the audit userspace version makes much difference, but it is
> 2.8.5.
> 
> Thanks in advance,
> 
> LCB
> 
> -- 
> Lenny Bruzenak

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list