boot parameter question
Lenny Bruzenak
lenny at magitekltd.com
Fri Jul 26 01:52:24 UTC 2019
I'm having trouble getting my "audit_backlog_limit" boot parameter
accepted.
I have the following 2 audit parameters on my boot line:
audit=1
audit_backlog_limit=8192
My /proc/cmdline shows them both once booted up.
But I'm not getting the audit_backlog_limit applied to the kernel audit
startup. I have a auditctl -b 8192 that runs from the audit.rules, and
the resulting CONFIG_change event shows "...audit_backlog_limit=8192,
old=64...".
After startup I run:
# auditctl -s
and see that I've lost 93 events.
Looking at the kernel code, I see that if the "audit=1" value is set, it
should print:
"enabled (after initialization)" , which I see in both dmesg and
/var/log/messages,
The second one (audit_backlog_limit=8192) should output IIUC:
"audit_backlog_limit: " , which I don't see anywhere.
It's as if the parameter is being ignored. I've tried moving it to a
different spot so it isn't the last on the line, etc. Nothing.
I stumbled on this because I'm not seeing the "SYSTEM_BOOT" events
anymore; I suspect they are in the missing ones.
Pretty sure I don't have a typo; I've put it into the grub config and
run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from that.
Again, the parameter is there in /proc/cmdline but doesn't seem to be
accepted. No warnings about it either AFAICT.
RHEL7.6, kernel 3.10.0-957
Don't think the audit userspace version makes much difference, but it is
2.8.5.
Thanks in advance,
LCB
--
Lenny Bruzenak
MagitekLTD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20190725/1d65730a/attachment.htm>
More information about the Linux-audit
mailing list