[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Kernel oops+crash on repeated auditd restarts



Just flushing the rules (auditctl -D) would cause my ubuntu machine
running a 2.6.38 kernel to oops fairly regularly, maybe one in five
times. This was especially painful when testing new rules.

On Wed, Jan 25, 2012 at 8:45 AM, Valentin Avram <aval13 gmail com> wrote:
> Hello.
>
> Did anybody ever experience kernel oopses and even kernel crashes (after a
> while), by just restarting repeatedly the auditd daemon?
>
> I ask this because i had this problem on Dell R610 servers running Gentoo
> Linux kernels gentoo-sources-3.0.6 and gentoo-sources-2.6.37-r4 (see this
> bug: https://bugs.gentoo.org/show_bug.cgi?id=389405 ).
>
> The kernels are nothing special, just the vanilla 2.6.37 and 3.0.6 with a
> few gentoo patches (see https://lkml.org/lkml/2011/11/28/330 ).
>
> The auditd version is 2.1.3 (latest). The audit.rules file contains
> basically the following rules:
>
> -D
> -w /etc -p wa -k etc-directory
> [snip: same for /sbin, /bin, /usr/sbin, /usr/bin]
> -a exit,never -F dir=/lib/rc -k skip-lib-rc
> -w /lib -p wa -k lib-directory
> -w /usr/lib -p wa -k usr-lib-directory
> -a exit,never -F arch=b32 -S read [snip: -S for write,open,fstat,mmap etc.]
> -k excluded-syscalls
> -b 8192
>
> The bug seems to be somewhere in the fsnotify kernel part, however Gentoo
> kernel devs and ppl on lkml did not seem too interested, so.. did anybody
> notice a similar behaviour? Or better yet, is anybody willing to run on one
> of your servers this simple test: start the minimum server services, use a
> similar audit.rules configuration, then start auditd and run in a shell the
> following one-liner:
>
> while :; do /etc/init.d/auditd stop ; sleep 5 ; /etc/init.d/auditd start ;
> sleep 5 ; done
>
> This was enough to oops and crash the kernel in less than one hour on the
> servers where i did the tests. If any similar behavior happens, i'd be very
> interested to know the the kernel version and distro.
>
> Thank you for your time.
>
>
> --
> Linux-audit mailing list
> Linux-audit redhat com
> https://www.redhat.com/mailman/listinfo/linux-audit



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]