[PATCH] audit: optionally print warning after waiting to enqueue record
Paul Moore
paul at paul-moore.com
Thu Jun 18 16:29:59 UTC 2020
On Thu, Jun 18, 2020 at 10:36 AM Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, June 18, 2020 9:46:54 AM EDT Paul Moore wrote:
> > On Thu, Jun 18, 2020 at 9:39 AM Steve Grubb <sgrubb at redhat.com> wrote:
> > > The kernel cannot grow the backlog unbounded. If you do nothing, the
> > > backlog is 64 - which is too small to really use. Otherwise, you set the
> > > backlog to a finite number with the -b option.
> >
> > If one were to set the backlog limit to 0, it is effectively disabled
> > allowing the backlog to grow without any restrictions placed on it by
> > the audit subsystem.
>
> Then I'd say you asked for it. The cure is setting a number.
I wasn't commenting on if it was wise or not, that is going to depend
on the goals of the admin. I just wanted to correct some bad
information you provided so those reading the mailing list were not
ill-informed.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list