Re: [PATCH] audit: optionally print warning after waiting to enqueue record
On Thursday, June 18, 2020 9:46:54 AM EDT Paul Moore wrote:
On Thu, Jun 18, 2020 at 9:39 AM Steve Grubb <sgrubb(a)redhat.com>
wrote:
> The kernel cannot grow the backlog unbounded. If you do nothing, the
> backlog is 64 - which is too small to really use. Otherwise, you set the
> backlog to a finite number with the -b option.
If one were to set the backlog limit to 0, it is effectively disabled
allowing the backlog to grow without any restrictions placed on it by
the audit subsystem.
Then I'd say you asked for it. The cure is setting a number. But regardless,
we could use some metrics on the backlog and visibility into the time it
takes to dequeue. That might signal problems with plugins or overly agressive
rules.
-Steve