audit: add kernel set-up parameter to override default backlog limit

The default audit_backlog_limit is 64. This was a reasonable limit at one time. systemd causes so much audit queue activity on startup that auditd doesn't start before the backlog queue has already overflowed by more than a factor of 2. On a system with audit= not set on the kernel command line, this isn't an issue since that history isn't kept for auditd when it is available. On a system with audit=1 set on the kernel command line, kaudit tries to keep that history until auditd is able to drain the queue. This default can be changed by the "-b" option in audit.rules once the system has booted, but won't help with lost messages on boot. One way to solve this would be to increase the default backlog queue size to avoid losing any messages before auditd is able to consume them. This would be overkill to the embedded community and insufficient for some servers. Another way to solve it might be to add a kconfig option to set the default based on the system type. An embedded system would get the current (or smaller) default, while Workstations might get more than now and servers might get more. None of these solutions helps if a system's compiled default is too small to see the lost messages without compiling a new kernel. This patch adds a kernel set-up parameter (audit already has one to enable/disable it) "audit_backlog_limit=<n>" that overrides the default to allow the system administrator to set the backlog limit. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Eric Paris <eparis@redhat.com>
author: Richard Guy Briggs <rgb@redhat.com> 2013-09-17 12:34:52 -0400
committer: Eric Paris <eparis@redhat.com> 2014-01-13 22:28:31 -0500
commit: f910fde7307be80a1a228bba969c492f61f13281 (patch)
tree: 9afc05db62b6fd1047defe406e88b79abc1ad2ce
parent: a106fb0c67727bfbe7f5a5bbdaaa3ae7f47a8c15 (diff)
2 files changed, 23 insertions, 1 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 6f138280cdef..ab86766e28cb 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -467,6 +467,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
                        Format: { "0" | "1" } (0 = disabled, 1 = enabled)
                        Default: unset
                        
+        audit_backlog_limit= [KNL] Set the audit queue size limit.
+                        Format: <int> (must be >=0)
+                        Default: 64
        baycom_epp=     [HW,AX25]
                        Format: <io>,<mode>
diff --git a/kernel/audit.c b/kernel/audit.c
index b8fa4bf8563b..833f8e2003b7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1099,9 +1099,27 @@ static int __init audit_enable(char *str)
        return 1;
 }
 __setup("audit=", audit_enable);
+/* Process kernel command-line parameter at boot time.
+ * audit_backlog_limit=<n> */
+static int __init audit_backlog_limit_set(char *str)
+{
+        long int audit_backlog_limit_arg;
+        pr_info("audit_backlog_limit: ");
+        if (kstrtol(str, 0, &audit_backlog_limit_arg)) {
+                printk("using default of %d, unable to parse %s\n",
+                       audit_backlog_limit, str);
+                return 1;
+        }
+        if (audit_backlog_limit_arg >= 0)
+                audit_backlog_limit = (int)audit_backlog_limit_arg;
+        printk("%d\n", audit_backlog_limit);
+        return 1;
+}
+__setup("audit_backlog_limit=", audit_backlog_limit_set);
 static void audit_buffer_free(struct audit_buffer *ab)
 {
        unsigned long flags;
author	Richard Guy Briggs <rgb@redhat.com>	2013-09-17 12:34:52 -0400
committer	Eric Paris <eparis@redhat.com>	2014-01-13 22:28:31 -0500
commit	f910fde7307be80a1a228bba969c492f61f13281 (patch)
tree	9afc05db62b6fd1047defe406e88b79abc1ad2ce
parent	a106fb0c67727bfbe7f5a5bbdaaa3ae7f47a8c15 (diff)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 6f138280cdef..ab86766e28cb 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt
@@ -467,6 +467,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
467	Format: { "0" \| "1" } (0 = disabled, 1 = enabled)	467	Format: { "0" \| "1" } (0 = disabled, 1 = enabled)
468	Default: unset	468	Default: unset
469		469
		470	audit_backlog_limit= [KNL] Set the audit queue size limit.
		471	Format: <int> (must be >=0)
		472	Default: 64
		473
470	baycom_epp= [HW,AX25]	474	baycom_epp= [HW,AX25]
471	Format: <io>,<mode>	475	Format: <io>,<mode>
472		476


diff --git a/kernel/audit.c b/kernel/audit.c index b8fa4bf8563b..833f8e2003b7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c
@@ -1099,9 +1099,27 @@ static int __init audit_enable(char *str)
1099		1099
1100	return 1;	1100	return 1;
1101	}	1101	}
1102
1103	__setup("audit=", audit_enable);	1102	__setup("audit=", audit_enable);
1104		1103
		1104	/* Process kernel command-line parameter at boot time.
		1105	* audit_backlog_limit=<n> */
		1106	static int __init audit_backlog_limit_set(char *str)
		1107	{
		1108	long int audit_backlog_limit_arg;
		1109	pr_info("audit_backlog_limit: ");
		1110	if (kstrtol(str, 0, &audit_backlog_limit_arg)) {
		1111	printk("using default of %d, unable to parse %s\n",
		1112	audit_backlog_limit, str);
		1113	return 1;
		1114	}
		1115	if (audit_backlog_limit_arg >= 0)
		1116	audit_backlog_limit = (int)audit_backlog_limit_arg;
		1117	printk("%d\n", audit_backlog_limit);
		1118
		1119	return 1;
		1120	}
		1121	__setup("audit_backlog_limit=", audit_backlog_limit_set);
		1122
1105	static void audit_buffer_free(struct audit_buffer *ab)	1123	static void audit_buffer_free(struct audit_buffer *ab)
1106	{	1124	{
1107	unsigned long flags;	1125	unsigned long flags;