Re: adding syscall rules
On Wednesday 08 June 2005 16:10, Amy Griffis wrote:
Hello,
I've noticed some odd behavior when adding medium to large numbers of
syscall rules. I'm doing my testing on an ia64 system with the
audit.56 kernel and the audit-0.9.2 package.
When adding the 31st rule, the 'No watches' message is not printed
following the auditctl command to add the rule, or any subsequent
auditctl -l calls. This seems to happen for any number of rules
greater than 30.
When the 61st rule is added, it does not appear in the rules list when
adding the rule, or any following auditctl -l calls. 60 seems to be
the maximum number of rules that can be listed. I do see an 'added an
audit rule' message in the audit log for the 61st rule, and can
generate audit records from it.
After adding the 116th rule, I can no longer delete all the rules with
auditctl -D. In fact, the command appears to hang, with no output
going to the audit log. If I bring the number of rules down to 115,
then -D will work again.
I've seen similar problems with watches (when inserting and triggering
them immediately after). I've yet to hear of or see a solution to this
problem. But, I know Steve had commented earlier on the hard limit of
30 phenomena and a fix for it.
Is there any way you can join the IRC channel (irc.freenode.net/6667)
#audit -- We're mostly all there in the late morning between 10 - 12 CST.
-tim