From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: max size of execve records
Date: Mon, 15 Oct 2007 09:53:13 -0400
Message-ID: <200710150953.13970.sgrubb@redhat.com>
References: <1192218750.3196.33.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1192218750.3196.33.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday 12 October 2007 15:52:30 Eric Paris wrote:
> If the argument is binary/has control characters it gets logged in hex,
> which means each char in the execve argument lists gets turned into 2
> characters in the audit message.

Yep.

> Do we see a problem dropping the execve record size down to 3500?

Why not go to 3900? 3500 is just as arbitrary as 3900 but requires more 
records for large amounts of args. Also, can't you track the allocations more 
closely so that if there are no args with a space (or special character) in 
it, you can send a full 8k?

-Steve