[PATCH] audit: optionally print warning after waiting to enqueue record
Steve Grubb
sgrubb at redhat.com
Thu Jun 18 14:36:43 UTC 2020
On Thursday, June 18, 2020 9:46:54 AM EDT Paul Moore wrote:
> On Thu, Jun 18, 2020 at 9:39 AM Steve Grubb <sgrubb at redhat.com> wrote:
> > The kernel cannot grow the backlog unbounded. If you do nothing, the
> > backlog is 64 - which is too small to really use. Otherwise, you set the
> > backlog to a finite number with the -b option.
>
> If one were to set the backlog limit to 0, it is effectively disabled
> allowing the backlog to grow without any restrictions placed on it by
> the audit subsystem.
Then I'd say you asked for it. The cure is setting a number. But regardless,
we could use some metrics on the backlog and visibility into the time it
takes to dequeue. That might signal problems with plugins or overly agressive
rules.
-Steve
More information about the Linux-audit
mailing list