Re: Key based rate limiter (audit_set_rate_limit)
On Wednesday, March 8, 2023 6:53:39 AM EST Anurag Aggarwal wrote:
> Limiting of audit records is actually done in the kernel, and
> currently the rate limit applies equally[1] to all records, there is
> no ability to enforce limits per-key.
One question Paul, will it be ok, if we contribute something similar to the
Auditd Kernel repository?
I'm not Paul...but I think what you are proposing is a per rule service
class. Always and best effort where best effort gets discarded when the
backlog is above some heuristic. And rules not saying anything are assumed
always for backwards compatibility. The main issue is that rules are defined
here:
https://github.com/linux-audit/audit-kernel/blob/main/include/uapi/linux/
audit.h#L510
There just really isn't room to add more thinkgs without some userspace API
problem. (This would definitely need a feaure bitmap so user space can make
sense of it.)
I suppose we could declare some bits in flags to carry this meaning? Anyways,
maybe others might chime in to say if they want/need such a feature.
-Steve