[PATCH v2] audit: report audit wait metric in audit status reply

Lenny Bruzenak lenny at magitekltd.com
Mon Dec 7 19:43:14 UTC 2020 

On 7/2/20 2:42 PM, Paul Moore wrote:

>>   #define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT     0x00000001
>>   #define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
>> @@ -348,6 +349,7 @@ enum {
>>   #define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER  0x00000010
>>   #define AUDIT_FEATURE_BITMAP_LOST_RESET                0x00000020
>>   #define AUDIT_FEATURE_BITMAP_FILTER_FS         0x00000040
>> +#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_SUM  0x00000080
> In an effort not to exhaust the feature bitmap too quickly, I've been
> restricting it to only those features that would cause breakage with
> userspace.  I haven't looked closely at Steve's userspace in quite a
> while, but I'm guessing it can key off the structure size and doesn't
> need this entry in the bitmap, right?  Let me rephrase, if userspace
> needs to key off anything, it*should*  key off the structure size and
> not a new flag in the bitmask;)
>
> Also, I'm assuming that older userspace doesn't blow-up if it sees the
> larger structure size?  That's even more important.
>
Paul,

This change does seem to the untrained eye to be in line with the 
existing FEATURE_BITMAP definitions. I appreciate your intent on not 
exhausting the available space, but at some point if that happens is 
there any reasonable way to expand? I'm sure you have some thoughts, or 
is this "it" as far as features could go (the last available bits)?

Max,

It's a pretty good feature. I agree with your original problem 
assessment; this is an area I'm always looking at. I've got questions 
I'll post separately as they are not germane to this thread.


As an interested user I'm hoping for a resolution on this, so that the 
userspace release can happen, as this seems to be a beneficial change 
which I could make use of when available.


Thx,

LCB


-- 
Lenny Bruzenak
MagitekLTD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20201207/5fd27338/attachment.htm>

More information about the Linux-audit mailing list