RHEL-AS-4.4 and auditd-1.0.14

Simon Jones sjones at tusc.com.au
Mon Feb 12 22:54:38 UTC 2007 

Hi Steve,

Thanks for the response.
>
>> I went from using the standard CAPP.rules example file to the
>> following audit.rules file:
>
> This reduces what the kernel is doing. Does this also reduce the  
> number of
> events hitting your audit logs?
>

Yes this did reduce the events hitting the logs quite considerably.

>
> I wonder if you still see the leak if you load the rules but do not  
> start the
> audit daemon? We need to see if its a kernel memory leak or user  
> space. I've
> run valgrind against auditd and do not know of any leaks.

I loaded just the rules and left it overnight and it still looks fine.

size-32             3688   3808     32  119    1 : tunables  120    
60    8 : slabdata     32     32      0

[root at blah ~]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=9:1, path=/etc, filterkey=ETC, perms=w, valid=0
AUDIT_WATCH_LIST: dev=9:1, path=/etc/sysconfig, filterkey=SYSCONFIG,  
perms=w, valid=0
AUDIT_WATCH_LIST: dev=9:3, path=/caer/e/cnf, filterkey=DMS_CNF,  
perms=w, valid=0
AUDIT_WATCH_LIST: dev=9:3, path=/caer/g/cnf, filterkey=GAS_CNF,  
perms=w, valid=0
AUDIT_WATCH_LIST: dev=9:1, path=/bin/su, filterkey=SBIN, perms=x,  
valid=0

>
>>
>> Whereas on a server not running the auditd daemon a cat /proc/
>> slabinfo gives:
>> After two minutes:
>> size-32             3556   3808     32  119    1 : tunables  120
>> 60    8 : slabdata     32     32      0
>> After several hours:
>> size-32             3601   3808     32  119    1 : tunables  120
>> 60    8 : slabdata     32     32      0
>
> But do you still have the CAPP rules loaded?

This was with no CAPP rules nor auditd running.

>
> No one's reported such an issue...so no one's worked on it. The  
> first step is
> determining if the problem is kernel or user space. Please load the  
> CAPP
> rules without starting the audit daemon and see what that shows.
>
> Thanks,
> -Steve

I loaded the CAPP example rules (and auditd) and it appears to leak  
very slowly.  After a couple of days it's sitting at:

size-32            84728  84728     32  119    1 : tunables  120    
60    8 : slabdata    712    712

We never saw the OOM killer in the six months that we ran with the  
CAPP example rules.

When I use the cut down CAPP rules it will kill the box within about  
2 days.

Regards,

Simon.

More information about the Linux-audit mailing list