5

Within the default audit.rules file on CentOS 5, 6 and 7, the following is set:

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

However, there is no mention of what unit the provided number is.

The man page for auditctl is not clear:

OPTIONS
       -b backlog
              Set max number of outstanding audit buffers allowed 
              (Kernel Default=64) If all buffers  are  full,  the
              failure flag is consulted by the kernel for action.

I've seen recommendations for this value that encompass a huge range of possible numbers (320, 8192, all the way up to 32768 and beyond).

I want to make sure that the value I'm setting is sane and that I'm not merely covering the tracks of an inefficient audit.rules file.

Is there some sort of implied size of a kernel / audit buffer? What would the recommendation be here?

alexus
  • 13,112
  • 32
  • 117
  • 174
drew
  • 173
  • 1
  • 6

1 Answers1

6

The backlog option limits the number of messages that can be queued up waiting to be written to the log. So the unit of the backlog option isn't bytes or connections, but rather 'number of audit messages'.

Choosing a sane value for this setting depends entirely on your system. I'd recommend starting out with the default and increasing it as needed. If you exceed the backlog limit, then you will see the message audit: backlog limit exceeded in your logs.

The backlog queue is stored in memory so increasing the backlog limit will increase memory consumption as the queue grows. Each message is typically just under 9000 bytes. You don't want the backlog limit too low, but you also do not want to set an insanely high value that could eat up a significant portion of your system memory.

Elliot B.
  • 1,356
  • 2
  • 18
  • 28