From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit_pid with multiple userspace auditd processes
Date: Wed, 7 Jan 2009 17:41:19 -0500
Message-ID: <200901071741.20531.sgrubb@redhat.com>
References: <1231364199.31089.61.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1231364199.31089.61.camel@localhost.localdomain>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 07 January 2009 04:36:39 pm Eric Paris wrote:
> lets say userspace starts 2 copies of auditd.

# auditctl -s
AUDIT_STATUS: enabled=3D1 flag=3D1 pid=3D4488 rate_limit=3D0 backlog_limi=
t=3D512 lost=3D1=20
backlog=3D0
# /sbin/auditd=20
# auditctl -s
AUDIT_STATUS: enabled=3D1 flag=3D1 pid=3D0 rate_limit=3D0 backlog_limit=3D=
512 lost=3D1=20
backlog=3D0
# ps -ef | grep auditd
root       580     2  0 08:19 ?        00:00:00 [kauditd]
root      4488     1  0 16:35 ?        00:00:00 auditd
root      5128  3654  0 17:33 pts/1    00:00:00 grep auditd


> Then they kill the first copy. =C2=A0The kernel at that point thinks th=
ere is no
> userspace auditd running and will instead send things to dmesg

Looks to me like the kernel is setting auditd_pid to 0 and the second aud=
itd=20
does not start - at least with my current setup.

For some other setups, it probably overwrites the pid with the new one an=
d=20
keeps going.


> We could fix it by changing the handling in audit_receive_msg to reject
> setting the audit_pid to 0 if the current audit_nlk_pid !=3D
> NETLINK_CB(skb).pid.

Well, what if the first crashed and the kernel didn't know it yet? It mig=
ht be=20
better to forcibly break the connection to the original auditd.


> It's not a big deal, maybe we just call results of audit with multiple
> userspace auditd's running at the same time a undefined and not care.

What do you get for auditctl -s before and after starting your second aud=
itd?

-Steve