On Wed, Mar 8, 2023 at 6:53 AM Anurag Aggarwal <anurag19aggar...@gmail.com> wrote: >> Limiting of audit records is actually done in the kernel, and >> currently the rate limit applies equally[1] to all records, there is >> no ability to enforce limits per-key. > > One question Paul, will it be ok, if we contribute something similar to the > Auditd Kernel repository?
I don't like telling people *not* to work on improvements to the kernel, I'm happy to see more contributors, especially in the audit space :) However, I am fairly skeptical that we could add per-key rate limiting without introducing a non-trivial amount of overhead to record generation, which would be a show stopper for this feature given its expected limited appeal. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit