Kauditd hold queue overflow size

With updated and changes, the kauditd process is a bit wild now. Even with setting audit_backlog_limit=8192 I’m still getting the queue overflow problem. This is preventing the system from getting to a fully booted state. Does anyone know of a reasonably large value for this that can be applied? I can argue with the security people about this, but I’d rather just fix it if possible.

What updates and changes? I’m curious as to why you are experiencing problems so what was changed on your system that has caused it to fail to boot fully in the first place?

Without explaining what was changed on your system, how is it possible for someone to help by just providing a value to a config option? The more information we have on what was changed on your system to cause this problem, can help us provide a solution.

The biggest one was enabling SELinux. We had been running in Permissive mode. But we’re being asked to set as Enforcing, and that’s causing a problem. Running in Permissive mode is no problem for boot.

And you tried autorelabel? It could may well be that the system requires selinux relabeling?

I have not tried autorelabel yet. I will give that a go and see if that fixes my issue.

1 Like

One of the options below can help with the autorelabel:

Obviously as you are in permissive mode already, you won’t need to do it twice. I would leave it in permissive as you do the autorelabel, and once it’s rebooted again, then enable enforcing for selinux and reboot once more. The second autorelabel shouldn’t be needed at this point, but you can run it again it won’t hurt.

Yes, that worked. That’s what I was missing.

1 Like