From a106fb0c67727bfbe7f5a5bbdaaa3ae7f47a8c15 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Mon, 23 Sep 2013 21:53:35 -0400 Subject: documentation: document the audit= kernel start-up parameter Add the "audit=" kernel start-up parameter to Documentation/kernel-parameters.txt. Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- Documentation/kernel-parameters.txt | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Documentation/kernel-parameters.txt') diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index fcbb736d55fe..6f138280cdef 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -463,6 +463,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. atkbd.softrepeat= [HW] Use software keyboard repeat + audit= [KNL] Enable the audit sub-system + Format: { "0" | "1" } (0 = disabled, 1 = enabled) + Default: unset + baycom_epp= [HW,AX25] Format: , -- cgit v1.2.3 From f910fde7307be80a1a228bba969c492f61f13281 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Tue, 17 Sep 2013 12:34:52 -0400 Subject: audit: add kernel set-up parameter to override default backlog limit The default audit_backlog_limit is 64. This was a reasonable limit at one time. systemd causes so much audit queue activity on startup that auditd doesn't start before the backlog queue has already overflowed by more than a factor of 2. On a system with audit= not set on the kernel command line, this isn't an issue since that history isn't kept for auditd when it is available. On a system with audit=1 set on the kernel command line, kaudit tries to keep that history until auditd is able to drain the queue. This default can be changed by the "-b" option in audit.rules once the system has booted, but won't help with lost messages on boot. One way to solve this would be to increase the default backlog queue size to avoid losing any messages before auditd is able to consume them. This would be overkill to the embedded community and insufficient for some servers. Another way to solve it might be to add a kconfig option to set the default based on the system type. An embedded system would get the current (or smaller) default, while Workstations might get more than now and servers might get more. None of these solutions helps if a system's compiled default is too small to see the lost messages without compiling a new kernel. This patch adds a kernel set-up parameter (audit already has one to enable/disable it) "audit_backlog_limit=" that overrides the default to allow the system administrator to set the backlog limit. Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- Documentation/kernel-parameters.txt | 4 ++++ kernel/audit.c | 20 +++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) (limited to 'Documentation/kernel-parameters.txt') diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 6f138280cdef..ab86766e28cb 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -467,6 +467,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Format: { "0" | "1" } (0 = disabled, 1 = enabled) Default: unset + audit_backlog_limit= [KNL] Set the audit queue size limit. + Format: (must be >=0) + Default: 64 + baycom_epp= [HW,AX25] Format: , diff --git a/kernel/audit.c b/kernel/audit.c index b8fa4bf8563b..833f8e2003b7 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1099,9 +1099,27 @@ static int __init audit_enable(char *str) return 1; } - __setup("audit=", audit_enable); +/* Process kernel command-line parameter at boot time. + * audit_backlog_limit= */ +static int __init audit_backlog_limit_set(char *str) +{ + long int audit_backlog_limit_arg; + pr_info("audit_backlog_limit: "); + if (kstrtol(str, 0, &audit_backlog_limit_arg)) { + printk("using default of %d, unable to parse %s\n", + audit_backlog_limit, str); + return 1; + } + if (audit_backlog_limit_arg >= 0) + audit_backlog_limit = (int)audit_backlog_limit_arg; + printk("%d\n", audit_backlog_limit); + + return 1; +} +__setup("audit_backlog_limit=", audit_backlog_limit_set); + static void audit_buffer_free(struct audit_buffer *ab) { unsigned long flags; -- cgit v1.2.3 From d7961148258cfe19908b5a29941a8c9f3fa7a4d6 Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Mon, 13 Jan 2014 16:01:06 -0500 Subject: audit: documentation of audit= kernel parameter Further documentation of the 3 possible kernel value of the audit command line option. Signed-off-by: Eric Paris --- Documentation/kernel-parameters.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'Documentation/kernel-parameters.txt') diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index ab86766e28cb..e81e1d0d8d78 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -465,6 +465,14 @@ bytes respectively. Such letter suffixes can also be entirely omitted. audit= [KNL] Enable the audit sub-system Format: { "0" | "1" } (0 = disabled, 1 = enabled) + 0 - kernel audit is disabled and can not be enabled + until the next reboot + unset - kernel audit is initialized but disabled and + will be fully enabled by the userspace auditd. + 1 - kernel audit is initialized and partially enabled, + storing at most audit_backlog_limit messages in + RAM until it is fully enabled by the userspace + auditd. Default: unset audit_backlog_limit= [KNL] Set the audit queue size limit. -- cgit v1.2.3 From f3411cb2b2e396a41ed3a439863f028db7140a34 Mon Sep 17 00:00:00 2001 From: Richard Guy Briggs Date: Tue, 17 Sep 2013 12:34:52 -0400 Subject: audit: whitespace fix in kernel-parameters.txt Fixup caught by checkpatch. Signed-off-by: Richard Guy Briggs Signed-off-by: Eric Paris --- Documentation/kernel-parameters.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Documentation/kernel-parameters.txt') diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index e81e1d0d8d78..a068591ef52c 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -474,7 +474,7 @@ bytes respectively. Such letter suffixes can also be entirely omitted. RAM until it is fully enabled by the userspace auditd. Default: unset - + audit_backlog_limit= [KNL] Set the audit queue size limit. Format: (must be >=0) Default: 64 -- cgit v1.2.3