On Wednesday, March 8, 2023 6:53:39 AM EST Anurag Aggarwal wrote: > > Limiting of audit records is actually done in the kernel, and > > currently the rate limit applies equally[1] to all records, there is > > no ability to enforce limits per-key. > > One question Paul, will it be ok, if we contribute something similar to the > Auditd Kernel repository?
I'm not Paul...but I think what you are proposing is a per rule service class. Always and best effort where best effort gets discarded when the backlog is above some heuristic. And rules not saying anything are assumed always for backwards compatibility. The main issue is that rules are defined here: https://github.com/linux-audit/audit-kernel/blob/main/include/uapi/linux/ audit.h#L510 There just really isn't room to add more thinkgs without some userspace API problem. (This would definitely need a feaure bitmap so user space can make sense of it.) I suppose we could declare some bits in flags to carry this meaning? Anyways, maybe others might chime in to say if they want/need such a feature. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit