Re: Fw: Audit record emission

I'm using the 0.7.3-1 user-space tools and the .28 kernel. I'm using the default auditd.conf file, which has priority_boost = 3. I was doing something a bit unusual. I was running some manual tests with audit rules that audit all syscalls with my uid and it was working fine until I forgot to turn it off before locking my X session. At that point, the screen saver did stuff like close every possible file descriptor, as far as I can tell from the log, so between locking the session and restarting it, I lost hundreds of records. I can usually, but not always, reproduce record loss with a program similar to one of Kris' tests, but with fewer than 200 iterations. I haven't tried fooling with the auditd.conf parameters yet, so I was curious about the stress.conf file. -- ljk