[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: max size of execve records



On Friday 12 October 2007 15:52:30 Eric Paris wrote:
> If the argument is binary/has control characters it gets logged in hex,
> which means each char in the execve argument lists gets turned into 2
> characters in the audit message.

Yep.

> Do we see a problem dropping the execve record size down to 3500?

Why not go to 3900? 3500 is just as arbitrary as 3900 but requires more 
records for large amounts of args. Also, can't you track the allocations more 
closely so that if there are no args with a space (or special character) in 
it, you can send a full 8k?

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]