[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit_backlog_limit messages



On Wednesday 29 June 2005 19:11, David Woodhouse wrote:
> As discussed, the system isn't hung; it's just going slowly because
> every auditable action is waiting 1 minute for space on the backlog
> queue. In fact from Steve's reports it looks like auditd itself is
> getting audited again -- I'm not sure how. I wasn't able to reproduce it
> using Steve's method; I'll try yours first thing in the morning.

Just a guess. Its using ctx->pid. Maybe tsk->pid is better? I would suggest 2 
changes, though. The first is to plug the hole so that auditd doesn't get 
audited. The other step is to inspect the pid when adding to the backlog wait 
queue to make sure auditd doesn't get added to it. This way if there is 
another sneak path, auditd won't get added to wait queue.

> But for the purposes of our own testing, we generally shouldn't be getting
> into a situation where audit_panic() is called in the first place.

Well, they should check that panic really does work. I know that I don't run 
my system like that. :)

Also, the backlog limit of 256 is low. This is the default set for people who 
are not doing auditing. You should bump it up higher to maybe 1024 or 4096. 
The default config is for people collecting the occasional avc denial 
message.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]