On 14/01/14, Richard Guy Briggs wrote: > Since audit can already be disabled by "audit=0" on the kernel boot line, or > by > the command "auditctl -e 0", it would be more useful to have the > audit_backlog_limit set to zero mean effectively unlimited (limited only by > system resources). > > Signed-off-by: Richard Guy Briggs <[email protected]> > --- > > Steve, > > These are userspace source code documentation changes in what's going in > upstream. See: > audit: allow unlimited backlog queue > git://toccata2.tricolour.ca/linux-2.6-rgb.git > https://lkml.org/lkml/2013/10/22/356 > https://www.redhat.com/archives/linux-audit/2013-October/msg00029.html
And this is a related BZ: https://bugzilla.redhat.com/show_bug.cgi?id=999756 > trunk/docs/auditctl.8 | 2 +- > trunk/src/auditctl.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8 > index 0ee1a83..dbb911d 100644 > --- a/trunk/docs/auditctl.8 > +++ b/trunk/docs/auditctl.8 > @@ -8,7 +8,7 @@ The \fBauditctl\fP program is used to control the behavior, > get status, and add > .SH OPTIONS > .TP > .BI \-b\ backlog > -Set max number of outstanding audit buffers allowed (Kernel Default=64) If > all buffers are full, the failure flag is consulted by the kernel for action. > +Set max number of outstanding audit buffers allowed (Kernel Default=64) If > all buffers are full, the failure flag is consulted by the kernel for action. > Setting this to "0" (which is dangerous) implies an unlimited queue, limited > only by system resources. > .TP > \fB\-e\fP [\fB0\fP..\fB2\fP] > Set enabled flag. When \fB0\fP is passed, this can be used to temporarily > disable auditing. When \fB1\fP is passed as an argument, it will enable > auditing. To lock the audit configuration so that it can't be changed, pass a > \fB2\fP as the argument. Locking the configuration is intended to be the last > command in audit.rules for anyone wishing this feature to be active. Any > attempt to change the configuration in this mode will be audited and denied. > The configuration can only be changed by rebooting the machine. > diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c > index 325b0a7..5b544a1 100644 > --- a/trunk/src/auditctl.c > +++ b/trunk/src/auditctl.c > @@ -107,7 +107,7 @@ static void usage(void) > " -a <l,a> Append rule to end of <l>ist with <a>ction\n" > " -A <l,a> Add rule at beginning of <l>ist with > <a>ction\n" > " -b <backlog> Set max number of outstanding audit buffers\n" > - " allowed Default=64\n" > + " allowed. Default=64 Unlimited=0(dangerous)\n" > " -c Continue through errors in rules\n" > " -C f=f Compare collected fields if available:\n" > " Field name, operator(=,!=), field name\n" > -- > 1.7.1 > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
