On Wed, 2006-09-20 at 15:40 -0400, Steve Grubb wrote: > On Wednesday 20 September 2006 15:26, Paul Moore wrote: > > > I try very hard to not have any memory allocations in the audit system to > > > prevent any possible failure due to fragmentation or leaks. I need to cap > > > the buffer size at something to meet this design goal. > > > > If this buffer limitation results in the loss or partial-loss of an > > audit record is there some notification sent? > > No. > > > This seems like an excellent way for an individual to obscure their actions > > on a system. > > Well, the particular buffer that Amy cited was 128 in size and only for > startup/shutdown messages. It has been increased to 384. The other buffer > that holds the events from syscall, file system, and trusted apps was 8460 > and is now 8970. >
There are very few limits on the size of contexts, though, and any heavy use of MLS / MCS categories could make the average context size grow quickly. Granted this is controllable by policy and, presumably, solvable by an admin. Karl -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
