From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: user message limits Date: Mon, 08 Jun 2009 17:08:33 -0500 Message-ID: <1244498913.15030.60.camel@homeserver> References: <1233100868.30154.103.camel@homeserver> <200901281215.16996.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200901281215.16996.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, 2009-01-28 at 12:15 -0500, Steve Grubb wrote: > On Tuesday 27 January 2009 07:01:08 pm LC Bruzenak wrote: > > Even when I get a successful return value (from audit_log_user_message), > > I don't get my string back out in "ausearch" unless it is WAY smaller - > > ~1K or less I think. > > > > Any ideas/thoughts? > > I tested like this: > > auditctl -m `perl -e '{print "A"x"2048"}'` > > and found its getting cutoff just under 1K. So, I checked the kernel code and > found this: > > 761 if (msg_type != AUDIT_USER_TTY) > 762 audit_log_format(ab, " msg='%.1024s'", > 763 (char *)data); > 764 else { > > Offhand, I don't remember why the kernel sets the limit so low. It could be > bumped some. How much, I don't know. 4K or 8K would seem fine. > > -Steve I apologize in advance, but I've lost the bubble on input event length. Is there a plan for the kernel to allow bigger buffers in to be audited? As of my current one (2.6.29.4-75.fc10) I'm still in the same ~900 byte range. To me, it seems that an increase would be automatically backward-compatible. The "dropoff" point would just extend out a ways... Thx, LCB. -- LC (Lenny) Bruzenak lenny@magitekltd.com