Re: buffer space

[LC Bruzenak <lenny@magitekltd.com>]

On Tue, 2009-08-18 at 09:02 -0400, David Flatley wrote:
> When I do "service auditd rotate" I am getting in
> the /var/log/messages the following:
> 
> Error receiving audit netlink packet (No buffer space available)
> Error sending signal_info request (No buffer space available) 
> 
> At the same time I am running a regression test that is generating 20
> meg audit logs every six to eight minutes.
> 
> Is this a concern?
> 
> David Flatley 
> 

David,

What I believe is happening is that you are generating an abnormal
amount of audit data in your regression test. That's OK, but I think
when you do the rotate the auditd suspends disk writes while it waits
for the rotate to complete. 

IIRC, the rotate starts with the highest number log, rolls it to the
next higher number. Then it decrements the counter and repeats. So
log.13->log.14, then log.12->log.13, etc., and eventually moves
audit.log to audit.log.1. Then a new audit.log is created and the flow
resumes.

While this happens, you are stacking up events from the kernel and
eventually run out of space. On some machines where the log files are in
the hundreds (I had around 300) I have seen the rotate take an
appreciable amount of time.

So you are probably dropping events when you get the above messages and
I guess that is for you to decide if you are concerned about this for
the duration of the test.

This sounds like an instance of where you know that some application
will generate huge amounts of AVC data you do not want to see in the
logs, and ideally you would block those events with a rule. However,
last week I believe, Steve noted that under the current kernel code (and
probably auditctl rules) you cannot selectively exclude AVCs.

LCB.
-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com