Re: [PATCH] audit: optionally print warning after waiting to enqueue record
On Thu, Jun 18, 2020 at 10:36 AM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Thursday, June 18, 2020 9:46:54 AM EDT Paul Moore wrote:
> On Thu, Jun 18, 2020 at 9:39 AM Steve Grubb <sgrubb(a)redhat.com> wrote:
> > The kernel cannot grow the backlog unbounded. If you do nothing, the
> > backlog is 64 - which is too small to really use. Otherwise, you set the
> > backlog to a finite number with the -b option.
>
> If one were to set the backlog limit to 0, it is effectively disabled
> allowing the backlog to grow without any restrictions placed on it by
> the audit subsystem.
Then I'd say you asked for it. The cure is setting a number.
I wasn't commenting on if it was wise or not, that is going to depend
on the goals of the admin. I just wanted to correct some bad
information you provided so those reading the mailing list were not
ill-informed.
--
paul moore
www.paul-moore.com