On 10/23/2013 01:59 AM, Richard Guy Briggs wrote: > On Mon, Oct 21, 2013 at 04:01:40PM +0800, Gao feng wrote: >> As the man page of auditctl said: >> " >> -b backlog >> Set max number of outstanding audit buffers allowed (Kernel >> Default=64) >> If all buffers are full, the failure flag is consulted by the >> kernel >> for action. >> " >> >> So if audit_backlog_limit is zero, it means no audit buffer >> should be allocated. > > Which sounds the same as audit=0 on the kernel boot line or "auditctl -e 0" > to disable it. This is redundant. I would suggest instead that it > would be more useful to have backlog set to zero mean unlimited (well, > limited by system RAM). This can be dangerous, but that can be > warned in the manpage. So, to accomplish that, a minor change is > needed in the audit_hold_skb() funciton: > > diff --git a/kernel/audit.c b/kernel/audit.c > @@ -355,7 +355,8 @@ static int audit_set_failure(int state) > static void audit_hold_skb(struct sk_buff *skb) > { > if (audit_default && > - skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit) > + (!audit_backlog_limit || > + skb_queue_len(&audit_skb_hold_queue) < audit_backlog_limit)) > skb_queue_tail(&audit_skb_hold_queue, skb); > else > kfree_skb(skb); > > And here is what I would propose for the corresponding userspace mod: > > diff --git a/trunk/docs/auditctl.8 b/trunk/docs/auditctl.8 > @@ -8,7 +8,7 @@ The \fBauditctl\fP program is used to control the behavior, > get status, and add > .SH OPTIONS > .TP > .BI \-b\ backlog > -Set max number of outstanding audit buffers allowed (Kernel Default=64) If > all buffers are full, the failure flag is consulted by the kernel for action. > +Set max number of outstanding audit buffers allowed (Kernel Default=64) If > all buffers are full, the failure flag is consulted by the kernel for action. > Setting this to "0" (which is dangerous) implies an unlimited queue, limited > only by system resources. > .TP > \fB\-e\fP [\fB0\fP..\fB2\fP] > Set enabled flag. When \fB0\fP is passed, this can be used to temporarily > disable auditing. When \fB1\fP is passed as an argument, it will enable > auditing. To lock the audit configuration so that it can't be changed, pass a > \fB2\fP as the argument. Locking the configuration is intended to be the last > command in audit.rules for anyone wishing this feature to be active. Any > attempt to change the configuration in this mode will be audited and denied. > The configuration can only be changed by rebooting the machine. > diff --git a/trunk/src/auditctl.c b/trunk/src/auditctl.c > @@ -107,7 +107,7 @@ static void usage(void) > " -a <l,a> Append rule to end of <l>ist with <a>ction\n" > " -A <l,a> Add rule at beginning of <l>ist with > <a>ction\n" > " -b <backlog> Set max number of outstanding audit buffers\n" > - " allowed Default=64\n" > + " allowed. Default=64 Unlimited=0(dangerous)\n" > " -c Continue through errors in rules\n" > " -C f=f Compare collected fields if available:\n" > " Field name, operator(=,!=), field name\n" > > > Does this sound like a reasonable change? >
Yes, it's reasonable, I'm ok with this change, just like audit_rate_limit, zero means unlimited. And it's better to change the comments of audit_backlog_limit in kernel. Thanks. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit