Key based rate limiter (audit_set_rate_limit)
Paul Moore
paul at paul-moore.com
Tue Feb 28 14:11:44 UTC 2023
On Tue, Feb 28, 2023 at 5:53 AM Anurag Aggarwal
<anurag19aggarwal at gmail.com> wrote:
> Hello All,
>
> The current rate limiter, audit_set_rate_limit limits all types of events. In our case, we want to limit auditd events with a specific key, as they are very noisy and consume very high CPU.
>
> From my understanding, this support is currently missing in AuditD.
>
> Is my understanding correct?
Hello.
Limiting of audit records is actually done in the kernel, and
currently the rate limit applies equally[1] to all records, there is
no ability to enforce limits per-key. If you have a particular audit
rule which is too verbose *and* you are willing to lose audit records
from that filter rule (which is what would happen if they were rate
limited), you might want to consider making that audit filter rule
more targeted to the event you are interested in logging. Generating
more audit records than you want to see can be a sign of an overly
general audit rule.
Good luck!
[1] Audit records generated by auditd/auditctl are exempt from rate
limiting to help prevent lockups/contention.
--
paul-moore.com
More information about the Linux-audit
mailing list