The way that watches work is by tracking the inode internally. Is it too much overhead to zero it? If we are dropping the 'we lost some messages' message 0'ing the counter at that time would be a bad idea, certainly not unsolvable, but I don't see what it buys us. If you have 10 syscall rules, every program on your system will delay during a syscall while the audit system evaluates each rule. You cannot insert a watch to the top level directory. I haven't looked at the audit message sending code, but we are only talking about adding an extra conditional in the common case and in the worst case a conditional and an assignment. I wonder if it would be better to reduce the generation of the messages, rather than just their output.
You can use this without specifying a syscall and the kernel will select the syscalls that satisfy the permissions being requested. I think it will wait a short while for there to be room in the queue before failing, but it doesn't wait for the queue to really drain. The arch can be found doing 'uname -m'. This will place a recursive watch on the directory and its whole subtree. Each one must start with -C. It also shows how many events are currently still waiting in the backlog queue which is zero in our case, so the audit user-space daemon has properly consumed and logged the audit events.
See the arch field discussion for more info. If an audit event is logged which would grow the queue beyond this limit, then a failure occurs and is handled according to the system configuration more on that later. But rather for reads or writes, the open flags are looked at to see what permission was requested. It will be handled by the filesystem auditing code and only checked on filesystem related syscalls. I'll think about it, but really, as long as we are generating audit events there isn't a great way to solve this problem other than throwing stuff on the floor. Doing so improves performance since fewer rules need to be evaluated. See discussion above for -k option.
The exit code will not be success if any rule fails to load. May be numeric or the user account name. Messages for one event can be interleaved with messages from another event. See discussion above for -k option. If the subtree is already mounted at the time the directory watch is issued, the subtree is automatically tagged for watching. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded.
The same applies to the 64 bit syscall table, you can use b64. Doing so improves performance since fewer rules need to be evaluated. I wouldn't want to lose the message, just make it more useful. You may want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. In general, you want suppressions at the top of the list instead of the bottom. This metricset will buffer the messages in order to combine related messages into a single event even if they arrive interleaved or out of order.
Setting this makes loginuid tamper-proof, but can cause some problems in certain kinds of containers. Whenever a new audit event is received, it is logged and prepared to be added to this queue. When using this list, you should only use fields that are known at task creation time, such as the uid, gid, etc. This will place a recursive watch on the directory and its whole subtree. The filter key is an arbitrary string of text that can be up to 31 bytes long. These permissions are not the standard file permissions, but rather the kind of syscall that would do this kind of thing. This can only be done by the root user.
That sort of begs the question - why do we even bother printing the audit record lost message? I haven't looked at the audit message sending code, but we are only talking about adding an extra conditional in the common case and in the worst case a conditional and an assignment. May be numeric or the user account name. The default is 0, which disables rate limiting. It is printed by kernel on some text console which is opened by Alt-F1 and also saved in dmesg buffer and also sent to syslog daemon. May be numeric or the groups name. On production systems, it is advised not to make this setting too low. Its an abbreviation of audit uid.
It was found that messages, such as the audit backlog lost printk message could flood the logs to the point that a machine could take an nmi watchdog hit or otherwise become unresponsive. Valid fields are: a0, a1, a2, a3 Respectively, the first 4 arguments to a syscall. Adding to this queue can be controlled through a few parameters. Typical use is for when you have several rules that together satisfy a security requirement. The key can also be used on delete all -D and list rules -l to select rules with a specific key. May be numeric or the user account name. Some printk messages from the audit system can become excessive.
You should add some condition before printk, because open is one of most used syscall. Omitting it will cause errors. See -d discussion for more info. This list is used upon entry to a system call to determine if an audit event should be created. I wouldn't want to lose the message, just make it more useful.
Well that, plus if the system is up for a long time which we hope and the message is infrequent which we also hope , then it could take me a while to find the previous message in order to do the subtraction. Omitting it will cause errors. The pid value is the process number of the audit daemon. Hence, might not work for everyone too. Fixing this properly had quite the cascading effect and what we are left with is this rather large and complicated patch. Is there a performance hit? Each one must start with -F.