Re: Key based rate limiter (audit_set_rate_limit)
On Wed, Mar 8, 2023 at 6:53 AM Anurag Aggarwal
<anurag19aggarwal(a)gmail.com> wrote:
> Limiting of audit records is actually done in the kernel, and
> currently the rate limit applies equally[1] to all records, there is
> no ability to enforce limits per-key.
One question Paul, will it be ok, if we contribute something similar to the Auditd Kernel
repository?
I don't like telling people *not* to work on improvements to the
kernel, I'm happy to see more contributors, especially in the audit
space :)
However, I am fairly skeptical that we could add per-key rate limiting
without introducing a non-trivial amount of overhead to record
generation, which would be a show stopper for this feature given its
expected limited appeal.
--
paul-moore.com