[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: adding syscall rules



On Wednesday 08 June 2005 16:10, Amy Griffis wrote:
> Hello,
> 
> I've noticed some odd behavior when adding medium to large numbers of
> syscall rules.  I'm doing my testing on an ia64 system with the
> audit.56 kernel and the audit-0.9.2 package.
> 
> When adding the 31st rule, the 'No watches' message is not printed
> following the auditctl command to add the rule, or any subsequent
> auditctl -l calls.  This seems to happen for any number of rules
> greater than 30.
> 
> When the 61st rule is added, it does not appear in the rules list when
> adding the rule, or any following auditctl -l calls.  60 seems to be
> the maximum number of rules that can be listed.  I do see an 'added an
> audit rule' message in the audit log for the 61st rule, and can
> generate audit records from it.
> 
> After adding the 116th rule, I can no longer delete all the rules with
> auditctl -D.  In fact, the command appears to hang, with no output
> going to the audit log.  If I bring the number of rules down to 115,
> then -D will work again.

I've seen similar problems with watches (when inserting and triggering
them immediately after).  I've yet to hear of or see a solution to this 
problem.  But, I know Steve had commented earlier on the hard limit of 
30 phenomena and a fix for it.

Is there any way you can join the IRC channel (irc.freenode.net/6667)
#audit -- We're mostly all there in the late morning between 10 - 12 CST.

-tim


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]