Re: [PATCH next] audit: printk before dropping logs in audit_log_end

From: Paul Moore
Date: Tue Aug 23 2022 - 16:09:50 EST

Next message: Aaron Tomlin: "[PATCH modules-next] module: Add debugfs interface to view unloaded tainted modules"
Previous message: Horatiu Vultur: "[PATCH v2] ARM: dts: lan966x: add support for pcb8290"
In reply to: Paul Moore: "Re: [PATCH next] audit: printk before dropping logs in audit_log_end"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Aug 22, 2022 at 10:33 PM Gaosheng Cui <ecronic@xxxxxxxxxxx> wrote:
>
> Thanks for your reply.
>
> This is a personal idea of mine，in the process of using audit，I find that if the audit rules are configured too much，or the server hard-disk performance is too poor，hitting a rate limit will be easy to occur，then some logs would be dropped directly.
> I think we should print the record to the console，just likely the last thing we want to do，better play the role of audit，and improve kernel security.
>
> I hope that will be helpful，thanks.

Yes, thank you for the additional information on your environment and
use case. As I'm sure you already know, the audit rate limit, backlog
queue depth, and other related tunables can all be configured at boot
or runtime to help ensure that the system remains responsive in the
face of higher audit loads.

--
paul-moore.com

Next message: Aaron Tomlin: "[PATCH modules-next] module: Add debugfs interface to view unloaded tainted modules"
Previous message: Horatiu Vultur: "[PATCH v2] ARM: dts: lan966x: add support for pcb8290"
In reply to: Paul Moore: "Re: [PATCH next] audit: printk before dropping logs in audit_log_end"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]