audit_set_rate_limit - Linux

Overview

audit_set_rate_limit is a Linux command used to manage the rate limit of audit events generated by the Linux kernel’s audit subsystem. It allows administrators to control the maximum number of audit events that can be generated within a specific timeframe.

Syntax

audit_set_rate_limit [options] <rate>

Options/Flags

• -e, –event-type : Limit rate for a specific event type.
• -f, –format : Output format: "human" or "json".
• -h, –help: Display help information.
• -l, –list: List current rate limits.
• -L, –list-all: List all rate limits, including system-default ones.
• -p, –process-name : Limit rate for a specific process name.
• -r, –remove-event-type : Remove rate limit for a specific event type.
• -R, –remove-process-name : Remove rate limit for a specific process name.
• -S, –show-stats: Display statistics about rate limit usage.
• -V, –version: Display version information.

Examples

Set a rate limit of 100 events per second for kernel’s "execve" event:

audit_set_rate_limit -e execve 100

List all current rate limits:

audit_set_rate_limit -l

Remove a rate limit for "execve" event:

audit_set_rate_limit -r execve

Common Issues

• Rate limits must be set to a non-zero positive value.
• Default rate limits are enforced by the kernel and cannot be removed.
• Use "-L" option to list all rate limits, including system defaults.

Integration

audit_set_rate_limit can be used in conjunction with other tools for advanced auditing tasks:

• Combine with auditctl to set audit rules and enable auditing.
• Integrate with logwatch to monitor audit logs and trigger alerts.
• Use with auditd to manage audit event aggregation and reporting.

Related Commands

• auditctl: Set audit rules and configure the audit system.
• ausearch: Search audit logs.
• auditd: Manage audit event aggregation and reporting.