Re: peculiar disappearance of most audit rules

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: pg@aud.list.sabi.co.UK (Peter Grandi)
To: Linux audit <linux-audit@redhat.com>
Subject: Re: peculiar disappearance of most audit rules
Date: Wed, 23 Apr 2014 09:04:45 +0100	[thread overview]
Message-ID: <21335.29725.410585.629604@tree.ty.sabi.co.uk> (raw)
In-Reply-To: <21334.54971.174073.755376@tree.ty.sabi.co.uk>

[ ... ]

> Thus I have come up with a potential explanation:

>   * The 'audit' module does not identify the watched file and
>     directory by (device,ino) but by a pointer to an inode table
>     entry, a bit like a filesystem module would.

I had a look at the code and it seems it relies on 'inotify' and
the code does get pointers at the relevant in-memory inode
descriptors.

>   * During treewalks a lot of inodes get cached in the in-memory
>     inode table.
>   * This creates pressure on the inode tables and thus the least
>     used (in some sense) inodes get evicted, and this includes
>     those for the "disappearing directories".
>   * When these least used inodes are evicted the 'audit' module
>     sees it as if it was a removal of the inode.

To corroborate this I have been running:

  while true
  do
    for D in $(< audit-names.txt)
    do (cd "$D" && exec sleep 3001)&
    done
    sleep 3001
  done

Which has the effect of marking the relevant directories as the
active current directories of each 'sleep' process, and none of
those directories were "disappeared" from the 'audit' active
rules list.

The 'inotify' code has a comment that claims:

> * inode: Pinned so long as the inode is associated with a watch, from
> * inotify_add_watch() to the final put_inotify_watch().

They use 'igrab'/'iput', and 'audit_tree.c' and 'audit_watch.c'
uses them, so I wonder what is missing.

next prev parent reply	other threads:[~2014-04-23  8:08 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-04-21 17:49 peculiar disappearance of most audit rules Peter Grandi
2014-04-21 18:28 ` Steve Grubb
2014-04-21 18:35   ` lists_todd
2014-04-21 19:03     ` Eric Paris
2014-04-21 20:49   ` Peter Grandi
2014-04-22 20:53     ` Peter Grandi
2014-04-22 21:46       ` Steve Grubb
2014-04-23  8:04       ` Peter Grandi [this message]
2014-04-23 14:34         ` Eric Paris
2014-04-27 20:33           ` Peter Grandi
2014-11-05 16:55             ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=21335.29725.410585.629604@tree.ty.sabi.co.uk \
    --to=pg@aud.list.sabi.co.uk \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox