Key based rate limiter (audit_set_rate_limit)
Paul Moore
paul at paul-moore.com
Wed Mar 8 17:04:16 UTC 2023
On Wed, Mar 8, 2023 at 6:53 AM Anurag Aggarwal
<anurag19aggarwal at gmail.com> wrote:
>> Limiting of audit records is actually done in the kernel, and
>> currently the rate limit applies equally[1] to all records, there is
>> no ability to enforce limits per-key.
>
> One question Paul, will it be ok, if we contribute something similar to the Auditd Kernel repository?
I don't like telling people *not* to work on improvements to the
kernel, I'm happy to see more contributors, especially in the audit
space :)
However, I am fairly skeptical that we could add per-key rate limiting
without introducing a non-trivial amount of overhead to record
generation, which would be a show stopper for this feature given its
expected limited appeal.
--
paul-moore.com
More information about the Linux-audit
mailing list