On Wed, 2021-01-20 at 17:50 -0500, Paul Moore wrote: > On Wed, Jan 20, 2021 at 1:38 AM Burn Alting <[email protected]> wrote: > > All, > > How is the following for a way forward. > > a. I will author a patch to the user space code to correctly parse this > > condition and submit it on the weekend. It will be via a new configuration > > item > > to auditd.conf just in case placing a fixed extended timeout (15-20 secs) > > affects memory usage for users of the auparse library. This solves the > > initial > > problem of ausearch/auparse failing to parse generated audit.b. I am happy > > to > > instrument what ever is recommended on my hosts at home (vm's and bare > > metal) to > > provide more information, should we want to 'explain' the occurrence, given > > I > > see this every week or two and report back. > > Seems reasonable to me. Steve, I can implement the 'end_of_event_timeout' change either as i. a command line argument to ausearch/aureport (say --eoetmo secs) and a new pair of library functions within the auparse() stable (say auparse_set_eoe_timeout() and auparse_get_eoe_timeout()) or ii. a configuration item in /etc/audit/auditd.conf, or
Which is your preference? Mine is i. as this is a user space processing change, not a demon change.
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
