From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: kauditd is writing too many lines in syslog
Date: Mon, 20 Jan 2014 15:43:17 -0500
Message-ID: <1390250597.21885.24.camel@localhost>
References: <CAJZVxRmHA1+z45Qra28bmy1P+hkZzOOYczdpudr_YSoOJeJB7g@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAJZVxRmHA1+z45Qra28bmy1P+hkZzOOYczdpudr_YSoOJeJB7g@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Aaron Lewis <the.warl0ck.1989@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Mon, 2014-01-20 at 12:45 +0800, Aaron Lewis wrote:
> Hi,
> 
> I'm not sure if this is the default behavior,
> 
> I'm using audit 2.3.2, and I've configured auditd not to log anything
> (NOLOG option), and I set the queue buffer to 10240 messages.
> 
> When the buffer is full or auditd is suddenly killed or for some other
> reason, it seems to write a lot of things to dmesg or
> /var/log/messages
> 
> So, did kauditd wrote all these? I already killed auditd process but I
> can still see logs piling up.
> 
> Can I ask kauditd not print anything if user space program cannot
> handle that much message?

Hmmm, no.  If the buffer overflows you will get messages about lost
audit records in printk.  We have no way to silence those.

If auditd is not running we dump audit messages to dmesg/printk.  (and
rate limit them).  We don't have a way to turn that off (and people in
general seem to like it).

So, no, we can't do what you want today.  (You can run auditctl -e 0 to
get them to stop)

If you are a Red Hat customer I would suggest opening a support case
requesting this new feature.  If not, you may feel free to open a
bugzilla at bugzilla.redhat.com and explain what you are doing and what
you want.  We will get to it as time allows.

If you have the chops to work on it yourself, you'll want to implement a
new 'audit feature'.  You can look at kernel commit 21b85c31d23f2047d47
for an example of a new feature.  Then likely check out
kernel/audit.c::audit_printk_skb()   If your new feature is true you'll
want to skip all of that function, except the audit_hold_skb().

Shouldn't be too hard to do....

-Eric