max size of execve records
Steve Grubb
sgrubb at redhat.com
Mon Oct 15 13:53:13 UTC 2007
On Friday 12 October 2007 15:52:30 Eric Paris wrote:
> If the argument is binary/has control characters it gets logged in hex,
> which means each char in the execve argument lists gets turned into 2
> characters in the audit message.
Yep.
> Do we see a problem dropping the execve record size down to 3500?
Why not go to 3900? 3500 is just as arbitrary as 3900 but requires more
records for large amounts of args. Also, can't you track the allocations more
closely so that if there are no args with a space (or special character) in
it, you can send a full 8k?
-Steve
More information about the Linux-audit
mailing list