Key based rate limiter (audit_set_rate_limit)
Paul Moore
paul at paul-moore.com
Tue Feb 28 16:31:35 UTC 2023
On Tue, Feb 28, 2023 at 10:35 AM Anurag Aggarwal
<anurag19aggarwal at gmail.com> wrote:
>
> Hello Paul,
>
> Thank you for your information.
>
>> If you have a particular audit
>> rule which is too verbose *and* you are willing to lose audit records
>> from that filter rule (which is what would happen if they were rate
>> limited), you might want to consider making that audit filter rule
>> more targeted to the event you are interested in logging. Generating
>> more audit records than you want to see can be a sign of an overly
>> general audit rule.
>
> I agree that having rules which are too verbose is not a very good idea.
>
> Beside this, is there any other mechanism which we can use to get a similar effect?
Nothing comes quickly to mind, perhaps others on the mailing list
might have some ideas ... ?
--
paul-moore.com
More information about the Linux-audit
mailing list