From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Auditd framework slowdowns (sometimes freezes) the entire system. Date: Tue, 21 Jul 2015 14:14:07 -0400 Message-ID: <1580419.1BsfLsUxHh@x2> References: <09D2CD6A-EA4F-4925-BAB5-44086B86424B@gmail.com> <2121523.C9610qWeF3@x2> <6C8DEEDF-06C7-4819-A6A7-78699D733B82@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <6C8DEEDF-06C7-4819-A6A7-78699D733B82@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Kangkook Jee Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, July 21, 2015 01:23:49 PM Kangkook Jee wrote: > With our custom audit client, we prefer not to take too much resources (CPUs > or memory) from user machine and rather want to drop some events. Maybe set a smaller backlog and tell it to ignore overflows? -b 512 -f 0 > Therefore I'm trying to use audit multicast feature you mentioned > (https://lwn.net/Articles/587166/). I found out that this feature is > recently added and I have a few questions using it. > > Q1. I've gone over journald source code and found out that it issues a > number of netlink socket api calls to join in multi-cast group and receive > datagrams. Do you support rather cleaner api to use this feature? I > couldn't find anything from libaudit.h. This is one for the kernel developers. > Q2. By joining in audit multi-cast group, can we avoid auditing the audit > client itself? As you know, with audit_set_pid(), it prevents from > gathering and reporting audit event for user-space audit client. We can > expect the same thing? You can set a rule once your program starts up and you have access to your pid. It would be the equivalent of this: -a never,exit -S all -F pid= > Q3. By only having a read-only user-space audit client and not having > bi-direction audit client running from the system, are we going to see > audit entries logged from default system log frameworks which output to > /var/log/kernel.log (Debian family), syslog, or dmesg? You should not. I know you said you looked at Journald as an example of how to do it. It might be joining a lot more than audit. I haven't looked. > Q4. Our environment for deployment comprises many different types of legacy > distributions (i.e., CentOS 5 or 6, Ubuntu 12.04 ...), could you inform me > from what audit version (or kernel version) audit multicast is supported? It seems to be 3.16. > Q5. I'm also considering another design choice to use *rate_limit* to limit > the amount of audit messages delivered to user-level client. Do you think > kauditd will drop some messages with this setting enabled? I have not played with it. Maybe one of the kernel developers has an opinion. I am pretty sure you can just ignore queue overflows, though. -Steve