From: Steve Grubb <sgrubb@redhat.com>
To: Kangkook Jee <aixer77@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Auditd framework slowdowns (sometimes freezes) the entire system.
Date: Tue, 21 Jul 2015 14:14:07 -0400 [thread overview]
Message-ID: <1580419.1BsfLsUxHh@x2> (raw)
In-Reply-To: <6C8DEEDF-06C7-4819-A6A7-78699D733B82@gmail.com>
On Tuesday, July 21, 2015 01:23:49 PM Kangkook Jee wrote:
> With our custom audit client, we prefer not to take too much resources (CPUs
> or memory) from user machine and rather want to drop some events.
Maybe set a smaller backlog and tell it to ignore overflows?
-b 512
-f 0
> Therefore I'm trying to use audit multicast feature you mentioned
> (https://lwn.net/Articles/587166/). I found out that this feature is
> recently added and I have a few questions using it.
>
> Q1. I've gone over journald source code and found out that it issues a
> number of netlink socket api calls to join in multi-cast group and receive
> datagrams. Do you support rather cleaner api to use this feature? I
> couldn't find anything from libaudit.h.
This is one for the kernel developers.
> Q2. By joining in audit multi-cast group, can we avoid auditing the audit
> client itself? As you know, with audit_set_pid(), it prevents from
> gathering and reporting audit event for user-space audit client. We can
> expect the same thing?
You can set a rule once your program starts up and you have access to your
pid. It would be the equivalent of this:
-a never,exit -S all -F pid=<pid>
> Q3. By only having a read-only user-space audit client and not having
> bi-direction audit client running from the system, are we going to see
> audit entries logged from default system log frameworks which output to
> /var/log/kernel.log (Debian family), syslog, or dmesg?
You should not. I know you said you looked at Journald as an example of how to
do it. It might be joining a lot more than audit. I haven't looked.
> Q4. Our environment for deployment comprises many different types of legacy
> distributions (i.e., CentOS 5 or 6, Ubuntu 12.04 ...), could you inform me
> from what audit version (or kernel version) audit multicast is supported?
It seems to be 3.16.
> Q5. I'm also considering another design choice to use *rate_limit* to limit
> the amount of audit messages delivered to user-level client. Do you think
> kauditd will drop some messages with this setting enabled?
I have not played with it. Maybe one of the kernel developers has an opinion.
I am pretty sure you can just ignore queue overflows, though.
-Steve
next prev parent reply other threads:[~2015-07-21 18:14 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-16 12:38 Auditd framework slowdowns (sometimes freezes) the entire system Kangkook Jee
2015-07-16 12:56 ` Steve Grubb
2015-07-21 17:23 ` Kangkook Jee
2015-07-21 18:14 ` Steve Grubb [this message]
2015-07-21 23:02 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1580419.1BsfLsUxHh@x2 \
--to=sgrubb@redhat.com \
--cc=aixer77@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.