Key based rate limiter (audit_set_rate_limit)
Anurag Aggarwal
anurag19aggarwal at gmail.com
Wed Mar 1 15:31:23 UTC 2023
>
>
> What we do not know is - do you have any filtering criteria in mind not
> covered by the available auditctl exclusions or do you just want to
> "sample" randomly?
>
> If the latter, why bother auditing this with a rule at all? You might be
> able to remove the rule causing the events and do something in userspace
> to audit only what you really want.
>
>
We want to sample system calls like rename.
In many cases, we have seen this overburden and increase auditd cpu
consumption.
In such cases, we want to drop some events randomly, so as to keep cpu
consumption under control.
There are other rules also, for example monitoring login/logout.
For such rules we do not want to drop any event.
--
Anurag Aggarwal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230301/5f64123b/attachment.htm>
More information about the Linux-audit
mailing list