Lost events during boot

Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Briggs <rgb@redhat.com>, Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com
Subject: Lost events during boot
Date: Sun, 19 Mar 2017 21:46:09 -0400	[thread overview]
Message-ID: <3997070.g5Zg3o8xPs@x2> (raw)

Hello Richard and Paul,

I was going to do a blog write up about booting the system with 
audit_backlog_limit=8192 for STIG users and have stumbled on to a mystery. The 
kernel initializes the variable to 64 at power on. During boot, if audit == 1, 
then it holds events in the hopes that an audit daemon will show up later and 
drain all the events. Anything over 64 events should fall off the end and 
increment the lost counter and put a notice in syslog.

However, when booting with audit_backlog_limit=8192, as soon as I log in I run 
"auditctl -s" I can see I've lost 73 events. The I run "aureport --start boot" 
and I see 644 total events. This is nowhere near the 8192 limit that I asked 
for. So, why am I losing events?

Additionally, I checked the logs and there is absolutely no message in syslog 
showing that I've lost events. This is with failure mode set to 1 - which is 
default at power on. And this is in spite of the the fact that the source code 
seems to show that it should have printk'ed something.

Any ideas? Can you replicate this finding?

-Steve

next             reply	other threads:[~2017-03-20  1:46 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-20  1:46 Steve Grubb [this message]
2017-03-20 12:08 ` Lost events during boot Paul Moore
2017-03-20 14:44   ` Paul Moore
2017-03-20 14:55     ` Paul Moore
2017-03-20 15:08       ` Steve Grubb
2017-03-21  8:04     ` Richard Guy Briggs
2017-03-21 11:30       ` Paul Moore
2017-03-20 15:05   ` Steve Grubb
2017-03-20 19:25     ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3997070.g5Zg3o8xPs@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=pmoore@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox