From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Failure flag "0" doesn't work
Date: Thu, 20 Aug 2015 20:14:07 -0400
Message-ID: <9003475.QcHMZHXCes@x2>
References: <CAJeTBw8Kc-+hJvRpwdjprUWi8PY-dqdSToY_MY=SBNRYY+PCZA@mail.gmail.com>
	<CAJeTBw8mAYC0RTjuVKC84tEfUVKsB+F_JASkJu4rOQVREV9DOw@mail.gmail.com>
	<1440108941.26050.7.camel@swtf.swtf.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1440108941.26050.7.camel@swtf.swtf.dyndns.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, burn@swtf.dyndns.org
List-Id: linux-audit@redhat.com

On Friday, August 21, 2015 08:15:41 AM Burn Alting wrote:
> One assumes the audit_failure variable has been set in the kernel
> (kernel/audit.c). Perhaps you can test this.

Yes, that is where it gets written to.
 
> Given you can get a copy of the kernel source you are running, perhaps
> trace through what's happening. Using the messages
> before/during/directly after the death of auditd, and what's routing to
> dmesg, perhaps you can reverse engineer what is happening.
> 
> Perhaps someone else on the list can explain why, given -f is set to 0,
> and the kernel has no user space destination for audit, it still prints
> (via printk()?)

The explanation of what the failure flag does is explained in the auditctl man 
pages:

"This option lets you determine  how  you  want  the kernel to handle critical 
errors. Example conditions where this mode may have an effect  includes:               
transmission  errors  to  userspace  audit daemon, backlog limit exceeded, out 
of kernel memory, and  rate  limit  exceeded."

Note that dead audit daemon is not included in what it covers.


> On Thu, 2015-08-20 at 13:17 +0300, Alex Beljanski wrote:
> > We have custom audit-dispatcher for process events. On some servers
> > when auditd fails, all audit messages writes to kernel.

This is expected when the audit system is enabled.


> > We don't want to see all this messages in dmesg and set failure flag
> > to "0". This doesn't help.

Correct. For _events_ to not be written to syslog, the audit system has to be 
disabled. You would run "auditctl -e 0" to turn off the audit system. OR if you 
are using rsyslog, then you can probably write a filter so that it removes 
audit events as it finds them.

-Steve