Since audit can already be disabled by "audit=0" on the kernel boot line, or by the command "auditctl -e 0", it would be more useful to have the audit_backlog_limit set to zero mean effectively unlimited (limited only by system resources).
Signed-off-by: Richard Guy Briggs <[email protected]> --- Steve, These are userspace source code documentation changes in what's going in upstream. See: audit: allow unlimited backlog queue git://toccata2.tricolour.ca/linux-2.6-rgb.git https://lkml.org/lkml/2013/10/22/356 https://www.redhat.com/archives/linux-audit/2013-October/msg00029.html trunk/docs/auditctl.8 | 2 +- trunk/src/auditctl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8 index 0ee1a83..dbb911d 100644 --- a/trunk/docs/auditctl.8 +++ b/trunk/docs/auditctl.8 @@ -8,7 +8,7 @@ The \fBauditctl\fP program is used to control the behavior, get status, and add .SH OPTIONS .TP .BI \-b\ backlog -Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action. +Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action. Setting this to "0" (which is dangerous) implies an unlimited queue, limited only by system resources. .TP \fB\-e\fP [\fB0\fP..\fB2\fP] Set enabled flag. When \fB0\fP is passed, this can be used to temporarily disable auditing. When \fB1\fP is passed as an argument, it will enable auditing. To lock the audit configuration so that it can't be changed, pass a \fB2\fP as the argument. Locking the configuration is intended to be the last command in audit.rules for anyone wishing this feature to be active. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine. diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c index 325b0a7..5b544a1 100644 --- a/trunk/src/auditctl.c +++ b/trunk/src/auditctl.c @@ -107,7 +107,7 @@ static void usage(void) " -a <l,a> Append rule to end of <l>ist with <a>ction\n" " -A <l,a> Add rule at beginning of <l>ist with <a>ction\n" " -b <backlog> Set max number of outstanding audit buffers\n" - " allowed Default=64\n" + " allowed. Default=64 Unlimited=0(dangerous)\n" " -c Continue through errors in rules\n" " -C f=f Compare collected fields if available:\n" " Field name, operator(=,!=), field name\n" -- 1.7.1 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
