<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:371077243;
mso-list-type:hybrid;
mso-list-template-ids:333197940 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1
{mso-list-id:558634195;
mso-list-type:hybrid;
mso-list-template-ids:779381068 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l2
{mso-list-id:1899433187;
mso-list-type:hybrid;
mso-list-template-ids:311451504 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal>All:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’ve seen the following situation occur on 2 machines
now for a total of 3 incidents:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l2 level1 lfo1'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>Audisp-remote runs normally on 5 separate servers,
the problem happens on two that are configured the same as the other 3.<o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l2 level1 lfo1'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>Audisp-remote runs normally on the problem
servers for days to weeks at a time without problems. <o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l2 level1 lfo1'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>For an unidentified reason (nothing that I can
find in any system log) audisp-remote stops sending messages to the central log
server. <o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l2 level1 lfo1'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>Some hours or days later (depending on audit
event activity) audisp-remote consumes all system memory and swap space. In my
case because of the nature of my directory tree watches for my web content this
usually happens when the web content is being regenerated from scratch by our
build server. The memory consumption happens very rapidly. <o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l2 level1 lfo1'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>One server is configured with 8GB of ram and 2GB
of swap, the second server has 12GB of ram and 2GB of swap. <o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l2 level1 lfo1'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>The system becomes completely unresponsive until
enough time goes by for some critical need for memory to arise and the OOM
Killer kicks in and starts reaping enough tasks to allow me to get in and
shutdown auditd. <o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l2 level1 lfo1'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>At this point the system returns to normal, and
if I restart auditd it resumes normal operation. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here is a ps aux taken when it happened today on the 12GB
machine:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal style='margin-left:.5in'>USER
PID %CPU %MEM
VSZ RSS
T TY STAT START
TIME COMMAND<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>root
1106 0.0 0.0
0 0
?
S< Oct12
0:36 [kauditd]<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>root
4768 0.1 0.0
92880 500
?
S<sl Oct17 26:22 auditd<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>root
4770 0.2 0.1
212984 12984
? S<sl Oct17
31:49 /sbin/audispd<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'>root
4771 0.0 96.7
28631936 11899072
? S< Oct17
7:52 /sbin/audisp-remote<o:p></o:p></p>
<p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoNormal>Priorities for each audit task are:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal> Auditd -4<o:p></o:p></p>
<p class=MsoNormal> Audispd -14<o:p></o:p></p>
<p class=MsoNormal> Audisp-remote
-4<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>All machines are fully current on maintenance. Running
RedHat EL 5.5 x86_64 with the following audit package set:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>audit-libs-python-1.7.17-3.el5<o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>audit-libs-1.7.17-3.el5<o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>audit-libs-1.7.17-3.el5<o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>audit-1.7.17-3.el5<o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>audispd-plugins-1.7.17-3.el5<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>All that being said, I have the following questions:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>Has anyone seen this, and if so what workarounds,
or fixes are available.<o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>What additional data should I collect that may
assist in identifying the root cause of the problem? Since it can take
days for this to manifest itself it seems like traces are out of the question,
but perhaps there are other collection tools that can be used. <o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>Are there any program options or
configuration options that can be used to debug this? The man pages seem to be
a bit stale in this distribution?<o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in;text-indent:-.25in;
mso-list:l1 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol'><span
style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'>
</span></span></span><![endif]>Does anyone have any other ideas on what I might
do to get to the bottom of this?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I also have a separate issue, that I’m curious
about. Under RedHat EL 5.5 there doesn’t seem to be any limitations
on the support for audisp-remote, but I just noticed in the release notes for
RedHat EL 6 Beta, this component is flagged as a Technology Preview in EL 6.
Does anyone know the reason for the change in status? I was planning to use
this as part of my PCI-DSS compliance efforts next year but this change may
make that choice problematic. <o:p></o:p></p>
<p class=MsoListParagraph style='margin-left:1.0in'><o:p> </o:p></p>
<p class=MsoNormal>Attached please find my current auditd.conf, audispd.conf,
audisp-remote.conf and au-remote.conf files.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Beyond this query I also plan to open a support incident
with RedHat, but I thought that by using feedback from this group I might
be in a better position to provide support with useful information to aid in
problem diagnosis. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Please let me know anything else that may help to get to the
bottom of this. <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks in advance!<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Jim <o:p></o:p></p>
</div>
</body>
</html>