Linux – auditctl buffer setting – how large is this

auditdcentoslinuxredhatSecurity

Within the default audit.rules file on CentOS 5, 6 and 7, the following is set:

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

However, there is no mention of what unit the provided number is.

The man page for auditctl is not clear:

OPTIONS
       -b backlog
              Set max number of outstanding audit buffers allowed 
              (Kernel Default=64) If all buffers  are  full,  the
              failure flag is consulted by the kernel for action.

I've seen recommendations for this value that encompass a huge range of possible numbers (320, 8192, all the way up to 32768 and beyond).

I want to make sure that the value I'm setting is sane and that I'm not merely covering the tracks of an inefficient audit.rules file.

Is there some sort of implied size of a kernel / audit buffer? What would the recommendation be here?

Best Answer

The backlog option limits the number of messages that can be queued up waiting to be written to the log. So the unit of the backlog option isn't bytes or connections, but rather 'number of audit messages'.

Choosing a sane value for this setting depends entirely on your system. I'd recommend starting out with the default and increasing it as needed. If you exceed the backlog limit, then you will see the message audit: backlog limit exceeded in your logs.

The backlog queue is stored in memory so increasing the backlog limit will increase memory consumption as the queue grows. Each message is typically just under 9000 bytes. You don't want the backlog limit too low, but you also do not want to set an insanely high value that could eat up a significant portion of your system memory.

Related Solutions

Linux – Copying a large directory tree locally? cp or rsync

I would use rsync as it means that if it is interrupted for any reason, then you can restart it easily with very little cost. And being rsync, it can even restart part way through a large file. As others mention, it can exclude files easily. The simplest way to preserve most things is to use the -a flag – ‘archive.’ So:

rsync -a source dest

Although UID/GID and symlinks are preserved by -a (see -lpgo), your question implies you might want a full copy of the filesystem information; and -a doesn't include hard-links, extended attributes, or ACLs (on Linux) or the above nor resource forks (on OS X.) Thus, for a robust copy of a filesystem, you'll need to include those flags:

rsync -aHAX source dest # Linux
rsync -aHE source dest  # OS X

The default cp will start again, though the -u flag will "copy only when the SOURCE file is newer than the destination file or when the destination file is missing". And the -a (archive) flag will be recursive, not recopy files if you have to restart and preserve permissions. So:

cp -au source dest

Linux Bash – How to Sort du -h Output by Size

As of GNU coreutils 7.5 released in August 2009, sort allows a -h parameter, which allows numeric suffixes of the kind produced by du -h:

du -hs * | sort -h

If you are using a sort that does not support -h, you can install GNU Coreutils. E.g. on an older Mac OS X:

brew install coreutils
du -hs * | gsort -h

From sort manual:

-h, --human-numeric-sort compare human readable numbers (e.g., 2K 1G)

Best Answer

Related Solutions

Linux – Copying a large directory tree locally? cp or rsync

Linux Bash – How to Sort du -h Output by Size

Related Topic