Backlog not working with kernel 3.10
Alan Evangelista
alan.vitor at gmail.com
Tue Mar 16 21:25:44 UTC 2021
AFAIK, the purpose of the backlog (a queue of audit events in the kernel)
is to assure no events are lost when events are generated at a faster speed
than they are consumed.
I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
test the backlog, but it seems it's not working at all.
Audit rule:
-a always,exit -F dir=/sasdata -F arch=b64 -S creat -S open -S openat -S
unlink -S unlinkat -S symlink -S symlinkat -S link -S linkat -S rename -S
renameat -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S
mkdir -S mkdirat -S rmdir -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -k filesystem_op
First I turned auditd off so that events are not consumed:
# service stop auditd
Then I make sure that the backlog size is greater than 0:
# auditctl -s
enabled 1
failure 1
pid 0
rate_limit 5000
backlog_limit 8192
lost 0
backlog 0
loginuid_immutable 0 unlocked
I have run some simple commands in /data that should be logged , e.g.
touch file, mkdir dir. Finally, I have run auditctl-s and expected to see
the backlog events counter go up, but it's still 0. If I start auditd
again, the events are never logged. Am I missing something here?
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210316/0f3c13c4/attachment.htm>
More information about the Linux-audit
mailing list