From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] execve argument logging
Date: Fri, 21 Apr 2006 19:44:55 -0400
Message-ID: <200604211944.56052.sgrubb@redhat.com>
References: <20060421113326.GA27648@devserv.devel.redhat.com>
	<20060421202235.GG1727@devserv.devel.redhat.com>
	<200604212122.k3LLMhMG018407@turing-police.cc.vt.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <200604212122.k3LLMhMG018407@turing-police.cc.vt.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Valdis.Kletnieks@vt.edu
List-Id: linux-audit@redhat.com

On Friday 21 April 2006 17:22, Valdis.Kletnieks@vt.edu wrote:
> which implies to me that I can blat a bit over 128K to the audit log per
> syscall.

Users can do this already. Maybe not as quickly, but they can certainly fill 
up your logs if they feel like it. If you do not want this message type in  
your logs, then use this in your audit rules:

-a always,exclude -F msgtype=EXECVE

Problem Solved (tm).

-Steve