On Wednesday 20 September 2006 15:26, Paul Moore wrote: > > I try very hard to not have any memory allocations in the audit system to > > prevent any possible failure due to fragmentation or leaks. I need to cap > > the buffer size at something to meet this design goal. > > If this buffer limitation results in the loss or partial-loss of an > audit record is there some notification sent?
No. > This seems like an excellent way for an individual to obscure their actions > on a system. Well, the particular buffer that Amy cited was 128 in size and only for startup/shutdown messages. It has been increased to 384. The other buffer that holds the events from syscall, file system, and trusted apps was 8460 and is now 8970. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
