From: Eric Paris <eparis@redhat.com>
To: Aaron Lewis <the.warl0ck.1989@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: kauditd is writing too many lines in syslog
Date: Mon, 20 Jan 2014 15:43:17 -0500 [thread overview]
Message-ID: <1390250597.21885.24.camel@localhost> (raw)
In-Reply-To: <CAJZVxRmHA1+z45Qra28bmy1P+hkZzOOYczdpudr_YSoOJeJB7g@mail.gmail.com>
On Mon, 2014-01-20 at 12:45 +0800, Aaron Lewis wrote:
> Hi,
>
> I'm not sure if this is the default behavior,
>
> I'm using audit 2.3.2, and I've configured auditd not to log anything
> (NOLOG option), and I set the queue buffer to 10240 messages.
>
> When the buffer is full or auditd is suddenly killed or for some other
> reason, it seems to write a lot of things to dmesg or
> /var/log/messages
>
> So, did kauditd wrote all these? I already killed auditd process but I
> can still see logs piling up.
>
> Can I ask kauditd not print anything if user space program cannot
> handle that much message?
Hmmm, no. If the buffer overflows you will get messages about lost
audit records in printk. We have no way to silence those.
If auditd is not running we dump audit messages to dmesg/printk. (and
rate limit them). We don't have a way to turn that off (and people in
general seem to like it).
So, no, we can't do what you want today. (You can run auditctl -e 0 to
get them to stop)
If you are a Red Hat customer I would suggest opening a support case
requesting this new feature. If not, you may feel free to open a
bugzilla at bugzilla.redhat.com and explain what you are doing and what
you want. We will get to it as time allows.
If you have the chops to work on it yourself, you'll want to implement a
new 'audit feature'. You can look at kernel commit 21b85c31d23f2047d47
for an example of a new feature. Then likely check out
kernel/audit.c::audit_printk_skb() If your new feature is true you'll
want to skip all of that function, except the audit_hold_skb().
Shouldn't be too hard to do....
-Eric
prev parent reply other threads:[~2014-01-20 20:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-20 4:45 kauditd is writing too many lines in syslog Aaron Lewis
2014-01-20 5:11 ` Aaron Lewis
2014-01-20 17:36 ` Richard Guy Briggs
2014-01-20 17:40 ` Steve Grubb
2014-01-20 18:24 ` Richard Guy Briggs
2014-01-20 18:34 ` Aaron Lewis
2014-01-20 20:43 ` Eric Paris [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1390250597.21885.24.camel@localhost \
--to=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=the.warl0ck.1989@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox