jeffmahoney
commented
2 years ago The updated PR that starts with commit 77798fe addresses most of the review from above. The updated 77798fe commit only contains some minor things: added some debugging messages, fixed minor bugs, cleaned up whitespace. The "meat" of the update is in the final three commits which enable polling of the audit fd and ultimately switch it to unicast (which means it's also auditd). This allows us to keep up with thousands of messages/second without hitting ENOBUFS or dropping events. It does not also log to /var/log/audit/audit.log and that's something we'll need to sort out. It may well be that what we want there is to accept events via auditd plugin, but I really want to get this into shape for broader testing.
lorddoskias
This is meant for discussion, not inclusion just yet.