From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lenny Bruzenak Subject: boot parameter question Date: Thu, 25 Jul 2019 19:52:24 -0600 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1860879968779466492==" Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.45]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 88ABB67134 for ; Fri, 26 Jul 2019 01:52:30 +0000 (UTC) Received: from mail-pg1-f175.google.com (mail-pg1-f175.google.com [209.85.215.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 20CAB30C1346 for ; Fri, 26 Jul 2019 01:52:29 +0000 (UTC) Received: by mail-pg1-f175.google.com with SMTP id f5so15117569pgu.5 for ; Thu, 25 Jul 2019 18:52:29 -0700 (PDT) Received: from [192.168.0.162] ([216.158.248.195]) by smtp.gmail.com with ESMTPSA id 11sm51991705pfw.33.2019.07.25.18.52.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Jul 2019 18:52:27 -0700 (PDT) Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Linux-audit@redhat.com" List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============1860879968779466492== Content-Type: multipart/alternative; boundary="------------2297D10C1CC8A83EBB766FD2" Content-Language: en-US This is a multi-part message in MIME format. --------------2297D10C1CC8A83EBB766FD2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit I'm having trouble getting my "audit_backlog_limit" boot parameter accepted. I have the following 2 audit parameters on my boot line: audit=1 audit_backlog_limit=8192 My /proc/cmdline shows them both once booted up. But I'm not getting the audit_backlog_limit applied to the kernel audit startup. I have a auditctl -b 8192 that runs from the audit.rules, and the resulting CONFIG_change event shows "...audit_backlog_limit=8192, old=64...". After startup I run: # auditctl -s and see that I've lost 93 events. Looking at the kernel code, I see that if the "audit=1" value is set, it should print: "enabled (after initialization)" , which I see in both dmesg and /var/log/messages, The second one (audit_backlog_limit=8192) should output IIUC: "audit_backlog_limit: "  , which I don't see anywhere. It's as if the parameter is being ignored. I've tried moving it to a different spot so it isn't the last on the line, etc. Nothing. I stumbled on this because I'm not seeing the "SYSTEM_BOOT" events anymore; I suspect they are in the missing ones. Pretty sure I don't have a typo; I've put it into the grub config and run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from that. Again, the parameter is there in /proc/cmdline but doesn't seem to be accepted. No warnings about it either AFAICT. RHEL7.6, kernel 3.10.0-957 Don't think the audit userspace version makes much difference, but it is 2.8.5. Thanks in advance, LCB -- Lenny Bruzenak MagitekLTD --------------2297D10C1CC8A83EBB766FD2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

I'm having trouble getting my "audit_backlog_limit" boot parameter accepted.

I have the following 2 audit parameters on my boot line:

audit=1

audit_backlog_limit=8192

My /proc/cmdline shows them both once booted up.

But I'm not getting the audit_backlog_limit applied to the kernel audit startup. I have a auditctl -b 8192 that runs from the audit.rules, and the resulting CONFIG_change event shows "...audit_backlog_limit=8192, old=64...".

After startup I run:

# auditctl -s

and see that I've lost 93 events.


Looking at the kernel code, I see that if the "audit=1" value is set, it should print:

"enabled (after initialization)" , which I see in both dmesg and /var/log/messages,

The second one (audit_backlog_limit=8192) should output IIUC:

"audit_backlog_limit: "  , which I don't see anywhere.

It's as if the parameter is being ignored. I've tried moving it to a different spot so it isn't the last on the line, etc. Nothing.

I stumbled on this because I'm not seeing the "SYSTEM_BOOT" events anymore; I suspect they are in the missing ones.

Pretty sure I don't have a typo; I've put it into the grub config and run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from that. Again, the parameter is there in /proc/cmdline but doesn't seem to be accepted. No warnings about it either AFAICT.

RHEL7.6, kernel 3.10.0-957

Don't think the audit userspace version makes much difference, but it is 2.8.5.

Thanks in advance,

LCB

-- 
Lenny Bruzenak
MagitekLTD
--------------2297D10C1CC8A83EBB766FD2-- --===============1860879968779466492== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1860879968779466492==--