audit_backlog_limit messages
Steve Grubb
sgrubb at redhat.com
Thu Jun 30 11:01:25 UTC 2005
On Wednesday 29 June 2005 19:11, David Woodhouse wrote:
> As discussed, the system isn't hung; it's just going slowly because
> every auditable action is waiting 1 minute for space on the backlog
> queue. In fact from Steve's reports it looks like auditd itself is
> getting audited again -- I'm not sure how. I wasn't able to reproduce it
> using Steve's method; I'll try yours first thing in the morning.
Just a guess. Its using ctx->pid. Maybe tsk->pid is better? I would suggest 2
changes, though. The first is to plug the hole so that auditd doesn't get
audited. The other step is to inspect the pid when adding to the backlog wait
queue to make sure auditd doesn't get added to it. This way if there is
another sneak path, auditd won't get added to wait queue.
> But for the purposes of our own testing, we generally shouldn't be getting
> into a situation where audit_panic() is called in the first place.
Well, they should check that panic really does work. I know that I don't run
my system like that. :)
Also, the backlog limit of 256 is low. This is the default set for people who
are not doing auditing. You should bump it up higher to maybe 1024 or 4096.
The default config is for people collecting the occasional avc denial
message.
-Steve
More information about the Linux-audit
mailing list