From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] audit: allow unlimited backlog queue
Date: Wed, 15 Jan 2014 08:03:11 -0500
Message-ID: <2007730.kZnoD1RoCs@x2>
References: <1389740356-18867-1-git-send-email-rgb@redhat.com>
	<20140114230432.GG23577@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20140114230432.GG23577@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Richard Guy Briggs <rgb@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday, January 14, 2014 06:04:32 PM Richard Guy Briggs wrote:
> On 14/01/14, Richard Guy Briggs wrote:
> > Since audit can already be disabled by "audit=0" on the kernel boot line,
> > or by the command "auditctl -e 0", it would be more useful to have the
> > audit_backlog_limit set to zero mean effectively unlimited (limited only
> > by system resources).
> >
> > These are userspace source code documentation changes in what's going in
> > upstream.  See:
> >       audit: allow unlimited backlog queue
> > git://toccata2.tricolour.ca/linux-2.6-rgb.git
> > https://lkml.org/lkml/2013/10/22/356
> > https://www.redhat.com/archives/linux-audit/2013-October/msg00029.html
> 
> And this is a related BZ:
> https://bugzilla.redhat.com/show_bug.cgi?id=999756

This patch doesn't make sense in that context either. The problem is systemd 
floods the audit system before auditd comes up. This begs the question of 
whether auditd is being started early enough.

One solution from that bz is to make a boot time config option. Problem is, 
everyone that really cares about audit will have to set that. So that means 
the default should be bumped up. However, the bz mentions that embedded 
systems don't like that. So, why not make a compile time config option that 
keeps the current default (64) and server/desktop distributions can make that 
512? You can even provide a boot time config so that people with really busy 
systems can make it bigger if they choose.

Making 0 mean unlimited won't help embedded systems.

-Steve