Re: user message limits
On Wed, 2009-01-28 at 12:15 -0500, Steve Grubb wrote:
On Tuesday 27 January 2009 07:01:08 pm LC Bruzenak wrote:
> Even when I get a successful return value (from audit_log_user_message),
> I don't get my string back out in "ausearch" unless it is WAY smaller
-
> ~1K or less I think.
>
> Any ideas/thoughts?
I tested like this:
auditctl -m `perl -e '{print "A"x"2048"}'`
and found its getting cutoff just under 1K. So, I checked the kernel code and
found this:
761 if (msg_type != AUDIT_USER_TTY)
762 audit_log_format(ab, "
msg='%.1024s'",
763 (char *)data);
764 else {
Offhand, I don't remember why the kernel sets the limit so low. It could be
bumped some. How much, I don't know. 4K or 8K would seem fine.
-Steve
I apologize in advance, but I've lost the bubble on input event length.
Is there a plan for the kernel to allow bigger buffers in to be audited?
As of my current one (2.6.29.4-75.fc10) I'm still in the same ~900 byte
range.
To me, it seems that an increase would be automatically
backward-compatible. The "dropoff" point would just extend out a ways...
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com