From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lenny Bruzenak Subject: Re: boot parameter question Date: Tue, 30 Jul 2019 15:52:27 -0600 Message-ID: References: <20190729223249.wvzvqmjwzxeg4p54@madcap2.tricolour.ca> <20190730213613.deuqgp433ieumuge@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx17.extmail.prod.ext.phx2.redhat.com [10.5.110.46]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C79541000321 for ; Tue, 30 Jul 2019 21:52:30 +0000 (UTC) Received: from mail-qk1-f195.google.com (mail-qk1-f195.google.com [209.85.222.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C933E30B9BF7 for ; Tue, 30 Jul 2019 21:52:29 +0000 (UTC) Received: by mail-qk1-f195.google.com with SMTP id t8so47707350qkt.1 for ; Tue, 30 Jul 2019 14:52:29 -0700 (PDT) In-Reply-To: <20190730213613.deuqgp433ieumuge@madcap2.tricolour.ca> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: "Linux-audit@redhat.com" List-Id: linux-audit@redhat.com On 7/30/19 3:36 PM, Richard Guy Briggs wrote: > On 2019-07-30 15:06, Lenny Bruzenak wrote: >> On 7/29/19 4:32 PM, Richard Guy Briggs wrote: >>> It is being ignored because that kernel command line extension to the >>> original feature was never backported to RHEL7. >> That would definitely do it. >> >>> In hindsight, that would have been pretty useful without causing much >>> risk. Normally feature backport is driven by customer demand. There >>> was a bit of pushback when it was first introduced upstream, but this is >>> exactly the scenario I envisioned where it would be most useful. It is >>> possible to compile your own kernel and change the default value, but >>> that's obviously a hurdle for most. >> It would definitely have been useful, some might say even necessary, >> given the audit event startup noise occurring with systemd. > Yes, this was yet another difficulty that arose with the change to > systemd from rhel6 to rhel7. The intent was to solve it first in fedora > when it switched to systemd to address this since the number of startup > messages jumped from manageable within the default backlog size to > almost double. There are also other improvements upstream that remove > some of the doubt about exactly how many log messages were lost. > >> Wow. Thanks Richard, I appreciate the answer on this. > It is all there in fedora and RHEL8, so that is one possible route. It > is a bit late in the RHEL7 life cycle to commit to it, but not > impossible... Thanks Richard and I do appreciate the insight. For some it might be possible to switch OS baselines effortlessly, others (including my group) it isn't. I'm surprised other RHEL 7 consumers are not squawking; I wonder if they do not appreciate what they are not seeing? Or perhaps they are not starting as many services early in the boot sequence and therefore getting that one? For people who care, I'd say that examining the stats ("auditctl -s") after startup would be worthwhile to see if they are losing events. Even if on fedora or RHEL8, I guess if the default is still 64 they could also be dropping relevant events they might want. I know this isn't a new thing, and I should have been more diligent myself, just saying. LCB -- Lenny Bruzenak MagitekLTD