Key based rate limiter (audit_set_rate_limit)

[Paul Moore]

On Wed, Mar 8, 2023 at 6:53 AM Anurag Aggarwal
<anurag19aggarwal at gmail.com> wrote:
>> Limiting of audit records is actually done in the kernel, and
>> currently the rate limit applies equally[1] to all records, there is
>> no ability to enforce limits per-key.
>
> One question Paul, will it be ok, if we contribute something similar to the Auditd Kernel repository?

I don't like telling people *not* to work on improvements to the
kernel, I'm happy to see more contributors, especially in the audit
space :)

However, I am fairly skeptical that we could add per-key rate limiting
without introducing a non-trivial amount of overhead to record
generation, which would be a show stopper for this feature given its
expected limited appeal.

-- 
paul-moore.com