>
> However, I am fairly skeptical that we could add per-key rate limiting
> without introducing a non-trivial amount of overhead to record
> generation, which would be a show stopper for this feature given its
> expected limited appeal.
>
I understand the reservation. I will spend some time to
On Wed, Mar 8, 2023 at 7:13 PM Bruce Elrick wrote:
> Hello all,
>
> I'm not sure if this list is appropriate for questions so please let
> me know and otherwise ignore if this message is not appropriate.
>
> I'm trying to help someone who is finally migrating from iptables to
> nftables on the
Hello all,
I'm not sure if this list is appropriate for questions so please let
me know and otherwise ignore if this message is not appropriate.
I'm trying to help someone who is finally migrating from iptables to
nftables on the back-end and needs to therefore migrate their audit
capability.
Hello,
On Wednesday, March 8, 2023 8:46:57 AM EST Richard Du wrote:
> I'm trying to define an audit rule with auditctl for clone() syscall, and I
> would expect that the a0 of clone() syscall (i.e. the clone_flags
> argument) without the CLONE_THREAD flag bit being set.
>
> int clone(int
On Wed, Mar 8, 2023 at 6:53 AM Anurag Aggarwal
wrote:
>> Limiting of audit records is actually done in the kernel, and
>> currently the rate limit applies equally[1] to all records, there is
>> no ability to enforce limits per-key.
>
> One question Paul, will it be ok, if we contribute something
On Wednesday, March 8, 2023 6:53:39 AM EST Anurag Aggarwal wrote:
> > Limiting of audit records is actually done in the kernel, and
> > currently the rate limit applies equally[1] to all records, there is
> > no ability to enforce limits per-key.
>
> One question Paul, will it be ok, if we
Hello all,
I'm trying to define an audit rule with auditctl for clone() syscall, and I
would expect that the a0 of clone() syscall (i.e. the clone_flags argument)
without the CLONE_THREAD flag bit being set.
int clone(int (*fn)(void *), void *stack, int flags, void *arg, ...
/*
>
>
> Limiting of audit records is actually done in the kernel, and
> currently the rate limit applies equally[1] to all records, there is
> no ability to enforce limits per-key.
One question Paul, will it be ok, if we contribute something similar to the
Auditd Kernel repository?
--
Anurag
