Re: [PATCH] audit: allow unlimited backlog queue

From: Richard Guy Briggs <rgb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [PATCH] audit: allow unlimited backlog queue
Date: Tue, 14 Jan 2014 18:04:32 -0500	[thread overview]
Message-ID: <20140114230432.GG23577@madcap2.tricolour.ca> (raw)
In-Reply-To: <1389740356-18867-1-git-send-email-rgb@redhat.com>

On 14/01/14, Richard Guy Briggs wrote:
> Since audit can already be disabled by "audit=0" on the kernel boot line, or by
> the command "auditctl -e 0", it would be more useful to have the
> audit_backlog_limit set to zero mean effectively unlimited (limited only by
> system resources).
> 
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> 
> Steve,
> 
> These are userspace source code documentation changes in what's going in
> upstream.  See:
> 	audit: allow unlimited backlog queue
> git://toccata2.tricolour.ca/linux-2.6-rgb.git
> https://lkml.org/lkml/2013/10/22/356
> https://www.redhat.com/archives/linux-audit/2013-October/msg00029.html

And this is a related BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=999756

>  trunk/docs/auditctl.8 |    2 +-
>  trunk/src/auditctl.c  |    2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8
> index 0ee1a83..dbb911d 100644
> --- a/trunk/docs/auditctl.8
> +++ b/trunk/docs/auditctl.8
> @@ -8,7 +8,7 @@ The \fBauditctl\fP program is used to control the behavior, get status, and add
>  .SH OPTIONS
>  .TP
>  .BI \-b\  backlog
> -Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
> +Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.  Setting this to "0" (which is dangerous) implies an unlimited queue, limited only by system resources.
>  .TP
>  \fB\-e\fP [\fB0\fP..\fB2\fP]
>  Set enabled flag. When \fB0\fP is passed, this can be used to temporarily disable auditing. When \fB1\fP is passed as an argument, it will enable auditing. To lock the audit configuration so that it can't be changed, pass a \fB2\fP as the argument. Locking the configuration is intended to be the last command in audit.rules for anyone wishing this feature to be active. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine.
> diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c
> index 325b0a7..5b544a1 100644
> --- a/trunk/src/auditctl.c
> +++ b/trunk/src/auditctl.c
> @@ -107,7 +107,7 @@ static void usage(void)
>       "    -a <l,a>            Append rule to end of <l>ist with <a>ction\n"
>       "    -A <l,a>            Add rule at beginning of <l>ist with <a>ction\n"
>       "    -b <backlog>        Set max number of outstanding audit buffers\n"
> -     "                        allowed Default=64\n"
> +     "                        allowed. Default=64 Unlimited=0(dangerous)\n"
>       "    -c                  Continue through errors in rules\n"
>       "    -C f=f              Compare collected fields if available:\n"
>       "                        Field name, operator(=,!=), field name\n"
> -- 
> 1.7.1
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545