On Mon, Aug 22, 2022 at 10:33 PM Gaosheng Cui <[email protected]> wrote: > > Thanks for your reply. > > This is a personal idea of mine,in the process of using audit,I find that if > the audit rules are configured too much,or the server hard-disk performance > is too poor,hitting a rate limit will be easy to occur,then some logs would > be dropped directly. > I think we should print the record to the console,just likely the last thing > we want to do,better play the role of audit,and improve kernel security. > > I hope that will be helpful,thanks.
Yes, thank you for the additional information on your environment and use case. As I'm sure you already know, the audit rate limit, backlog queue depth, and other related tunables can all be configured at boot or runtime to help ensure that the system remains responsive in the face of higher audit loads. -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
