Thanks Steve & Richard, I get it. On Tue, Jan 14, 2014 at 10:47 PM, Richard Guy Briggs <[email protected]> wrote: > On 14/01/14, Steve Grubb wrote: >> On Tuesday, January 14, 2014 01:09:52 PM Aaron Lewis wrote: >> > Yes, I did run auditctl -D to clear all rules. And during testing I >> > have enlarged the buffer queue to 10240 messages. >> > >> > Did you mean that once -D is issued, the buffer will be cleared by >> > auditd, but not by linux kernel? >> >> There is no way to directly clear the in kernel buffer. The audit system is >> supposed to keep events for disposition. If there was a simple command to >> dump >> events, that would be a simple way to circumvent detection. So, the best way >> to drain the queues is to give auditd more priority so it runs more often and >> longer before its time slice is up. You don't need to log to disk. But >> something has to read the events to get them out. > > What Steve said. > > The -D option has nothing directly to do with the queue. It simply > shuts off most of the the taps filling your sink. You still need to > drain the sink after it has filled/overflowed. > >> -Steve > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
-- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
