<div dir="ltr">Excellent!!!</div><div class="gmail_extra"> <div class="gmail_quote">On Thu, Feb 12, 2015 at 9:58 AM, Viswanath, Logeswari P (MCOU OSTL) <<a href="mailto:logeswari.pv@hp.com" target="_blank">logeswari.pv@hp.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all, We did profiling of the kernel during our performance test and below were the top 4 functions for the overhead. 11.33% loader1 [kernel.kallsyms] [k] format_decode 10.40% loader1 [kernel.kallsyms] [k] memcpy 7.46% loader1 [kernel.kallsyms] [k] number.isra.1 6.99% loader1 [kernel.kallsyms] [k] vsnprintf Please find attached the complete profiling data of the kernel using perf tool. >From the perf data, we believed the overhead is because of invoking audit_log_format function multiple times. We changed the code to reduce the number of times this function is called. With this change the performance degradation is 20% now compared to the performance without auditing. Without this change the performance degradation is 200% compared to the performance without auditing. We can publish the code change done tomorrow. Please let me know your feedback on this idea. Regards, Logeswari. -----Original Message----- From: Richard Guy Briggs [mailto:<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>] Sent: Wednesday, February 11, 2015 10:21 PM To: Viswanath, Logeswari P (MCOU OSTL) <div class="HOEnZb"><div class="h5">Cc: <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a> Subject: Re: Linux audit performance impact On 15/02/06, Viswanath, Logeswari P (MCOU OSTL) wrote: > Hi all, > > Please find the below the details of the performance test we ran. > It would be great if we get help to identify the reason behind the degradation and the ways of improving it. > > Kernel Version: > root > uname -r > 3.13.0-36-generic > > OS Version: > Ubuntu 14.04.1 > > No. of CPUs: > root > nproc > 24 > > Audit Status: > root > auditctl -s > AUDIT_STATUS: enabled=1 flag=1 pid=0 rate_limit=0 backlog_limit=320 > lost=57190353 backlog=0 > > Rules Configured: > root > auditctl -l > LIST_RULES: exit,always arch=3221225534 (0xc000003e) syscall=all > > Attached is the program used to load the system. > > Results: > > Without enabling audit 12.29 > With auditing enabled and no rules configured 12.31 > With auditing enabled, 1 rule configured but auditd not running - kauditd logs audit records to syslog via printk 41.02 This would be more meaningful if you hacked the kernel to drain the queue figuratively to /dev/nul to eliminate the effect of auditd draining it, or syslog covering for a missing auditd. This stat doesn't tell us that much since the I/O act can vary significantly per installation. That one rule you chose is pretty unnaturally abusive and needs to be carefully thought out to avoid self-measurement. > The degradation is around 200% > > Regards, > Logeswari. > > -----Original Message----- > From: Richard Guy Briggs [mailto:<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>] > Sent: Wednesday, February 04, 2015 9:46 PM > To: Viswanath, Logeswari P (MCOU OSTL) > Cc: Satish Chandra Kilaru; Steve Grubb; <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a> > Subject: Re: Linux audit performance impact > > On 15/02/04, Viswanath, Logeswari P (MCOU OSTL) wrote: > > The intent is to calculate the performance impact by the auditing > > components such as > > > > 1) impact because of kauditd without auditd - but kauditd writes to syslog, so we are unable to determine the impact just because of kauditd - It is fine even if the audit record is dropped by kauditd. Is there any way to do this? > > Not yet. That is a mode that has not been useful to anyone yet. You are welcome to hack a custom kernel to disable klog for doing testing instrumentation. > > > 2) impact because of running auditd - log format NOLOG > > 3) impact because of running audispd - small plugin is written which will just read the audit records and doesn't processes it. > > > > -----Original Message----- > > From: Richard Guy Briggs [mailto:<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>] > > Sent: Tuesday, February 03, 2015 10:33 PM > > To: Satish Chandra Kilaru > > Cc: Viswanath, Logeswari P (MCOU OSTL); Steve Grubb; > > <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a> > > Subject: Re: Linux audit performance impact > > > > On 15/02/03, Satish Chandra Kilaru wrote: > > > Thanks for The info. But my question was rhetorical... I meant to > > > say that it would not be much... She is trying to bombard the > > > system with open calls ... So lots and lots of events will be > > > generated and kernel has to write down the events some where or discard them... > > > > Exactly. It is of little practical use. You have to do I/O at some point, either to the same disk or another, or to a network interface or serial port, otherwise, just chuck it out. You could do a performance measurement on a short burst, then drain the queue, but what will that actually tell us? > > > > > On Tuesday, February 3, 2015, Richard Guy Briggs <<a href="mailto:rgb@redhat.com">rgb@redhat.com</a>> wrote: > > > > > > > On 15/02/03, Satish Chandra Kilaru wrote: > > > > > How many events can kernel accumulate without I/o ? > > > > > > > > The kernel default is 64 *buffers*, but I think Fedora and RHEL > > > > set it to 320. It is now possible to set it to "0" which means > > > > limited only by system resources. See "man auditctl", "-b" > > > > option. An event can be made up of several buffers. > > > > > > > > Of course, how long a system lasts before the queue blows up > > > > depends on your rule set... > > > > > > > > However, at the moment, it will still write out to klog if > > > > auditd isn't running. > > > > > > > > > On Tuesday, February 3, 2015, Viswanath, Logeswari P (MCOU > > > > > OSTL) < <a href="mailto:logeswari.pv@hp.com">logeswari.pv@hp.com</a> <javascript:;>> wrote: > > > > > > > > > > > I don't want to disable auditing (i.e. disable audit record > > > > collection), > > > > > > but just do not want the records to delivered to user space > > > > > > since I > > > > want to > > > > > > remove the I/O overhead while running the performance test. > > > > > > Is there any option for this? > > > > > > > > > > > > -----Original Message----- > > > > > > From: Richard Guy Briggs [mailto:<a href="mailto:rgb@redhat.com">rgb@redhat.com</a> > > > > > > <javascript:;> > > > > <javascript:;>] > > > > > > Sent: Thursday, January 29, 2015 10:23 PM > > > > > > To: Viswanath, Logeswari P (MCOU OSTL) > > > > > > Cc: Satish Chandra Kilaru; Steve Grubb; > > > > > > <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a> > > > > <javascript:;> > > > > > > <javascript:;> > > > > > > Subject: Re: Linux audit performance impact > > > > > > > > > > > > On 15/01/29, Viswanath, Logeswari P (MCOU OSTL) wrote: > > > > > > > Please read my question as “Is there any option to > > > > > > > configure kaudit not to log audit records to syslog? when auditd not running.” > > > > > > > > > > > > Yeah, remove audit=1 from the kernel command line, or set > > > > > > audit=0 in > > > > its > > > > > > place. This will stop all but AVCs and if auditd has ever > > > > > > run since > > > > boot. > > > > > > If audit=0 is on the kernel boot line, it will be impossible > > > > > > to run > > > > auditd. > > > > > > > > > > > > There is a feature request that is likely coming soon that > > > > > > could be > > > > > > useful: > > > > > > > > > > > > <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1160046" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1160046</a> > > > > > > "If no audit daemon is running, but an audit multicast > > > > > > subscriber is around, then the kernel shouldn't forward audit data to kmsg" > > > > > > > > > > > > > From: Viswanath, Logeswari P (MCOU OSTL) > > > > > > > Sent: Thursday, January 29, 2015 11:49 AM > > > > > > > To: 'Satish Chandra Kilaru'; Steve Grubb > > > > > > > Cc: <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a> <javascript:;> <javascript:;> > > > > > > > Subject: RE: Linux audit performance impact > > > > > > > > > > > > > > Is there any option to configure kaudit not to log audit > > > > > > > records to > > > > > > syslog when auditd is running? > > > > > > > This way we can assess the impact of enabling audit > > > > > > > without involving > > > > > > disk I/o overhead. > > > > > > > > > > > > > > From: Satish Chandra Kilaru [mailto:<a href="mailto:iam.kilaru@gmail.com">iam.kilaru@gmail.com</a> > > > > <javascript:;> <javascript:;>] > > > > > > > Sent: Thursday, January 29, 2015 9:12 AM > > > > > > > To: Steve Grubb > > > > > > > Cc: <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a> <javascript:;> <javascript:;><mailto: > > > > <a href="mailto:linux-audit@redhat.com">linux-audit@redhat.com</a> <javascript:;> > > > > > > <javascript:;>>; Viswanath, > > > > > > > Logeswari P (MCOU OSTL) > > > > > > > Subject: Re: Linux audit performance impact > > > > > > > > > > > > > > I agree with you... but writing to disk can trigger > > > > > > > further events > > > > > > leading spiralling of events... > > > > > > > I brought down my server few times with stupid rules... > > > > > > > > > > > > > > On Wed, Jan 28, 2015 at 10:39 PM, Steve Grubb > > > > > > > <<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a> > > > > <javascript:;> > > > > > > <javascript:;><mailto:<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a> <javascript:;> > > > > <javascript:;>>> wrote: > > > > > > > On Wednesday, January 28, 2015 10:18:47 AM Satish Chandra > > > > > > > Kilaru > > > > wrote: > > > > > > > > Write your own program to receive audit events directly > > > > > > > > without using auditd... > > > > > > > > That should be faster .... > > > > > > > > Auditd will log the events to disk causing more I/o than u need... > > > > > > > > > > > > > > But even that is configurable in many ways. You can decide > > > > > > > if you > > > > want > > > > > > > logging to disk or not and what kind of assurance that it > > > > > > > made it to disk and the priority of that audit daemon. > > > > > > > Then you also have all > > > > the > > > > > > > normal tuning knobs for disk throughput that you would use > > > > > > > for any disk performance critical system. > > > > > > > > > > > > > > -Steve > > > > > > > > > > > > > > > On Wednesday, January 28, 2015, Viswanath, Logeswari P > > > > > > > > (MCOU > > > > > > > > OSTL) > > > > < > > > > > > > > > > > > > > > > <a href="mailto:logeswari.pv@hp.com">logeswari.pv@hp.com</a> <javascript:;> <javascript:;><mailto: > > > > <a href="mailto:logeswari.pv@hp.com">logeswari.pv@hp.com</a> <javascript:;> > > > > > > <javascript:;>>> wrote: > > > > > > > > > Hi Steve, > > > > > > > > > > > > > > > > > > I am Logeswari working for HP. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > We want to know audit performance impact on RHEL and > > > > > > > > > Suse linux > > > > to > > > > > > > > > help us evaluate linux audit as data source for our > > > > > > > > > host based > > > > IDS. > > > > > > > > > > > > > > > > > > When we ran our own performance test with a test > > > > > > > > > audispd plugin, we found if a system can perform > > > > > > > > > 200000 open/close system calls per second without > > > > > > > > > auditing, system can perform only 3000 open/close > > > > > > > > > system calls auditing is enabled for open/close system > > > > > > > > > call which is a HUGE impact on the system performance. > > > > > > > > > It would > > > > be > > > > > > > > > great if anyone can help us answering the following questions. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 1) Is this performance impact expected? If yes, what is the > > > > > > reason > > > > > > > > > behind it and can we fix it? > > > > > > > > > > > > > > > > > > 2) Have anyone done any benchmarking for performance > > > > impact? If > > > > > > yes, > > > > > > > > > can you please share the numbers and also the > > > > > > > > > steps/programs used the run the same. > > > > > > > > > > > > > > > > > > 3) Help us validating the performance test we have done in > > > > our > > > > > > test > > > > > > > > > setup using the steps mentioned along with the results attached. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Attached test program (loader.c) to invoke open and > > > > > > > > > close system > > > > > > calls. > > > > > > > > > > > > > > > > > > Attached idskerndsp is the audispd plugin program. > > > > > > > > > > > > > > > > > > We used time command to determine how much time the > > > > > > > > > system took > > > > to > > > > > > > > > complete 50000 open/close system calls without > > > > > > > > > (results attached > > > > > > > > > Without-auditing) and with auditing enabled on the > > > > > > > > > system (With-auditing-NOLOG-audispd-plugin and > > > > > > > > > With-auditing-RAW) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > System details: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > 1 CPU machine > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *OS Version* > > > > > > > > > > > > > > > > > > RHEL 6.5 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *Kernel Version* > > > > > > > > > > > > > > > > > > uname –r > > > > > > > > > > > > > > > > > > 2.6.32-431.el6.x86_64 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Note: auditd was occupying 35% of CPU and was sleeping > > > > > > > > > for most > > > > of > > > > > > > > > the time whereas kauditd was occupying 20% of the CPU. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks & Regards, > > > > > > > > > > > > > > > > > > Logeswari. > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Please Donate to > > > > > > > <a href="http://www.wikipedia.org" target="_blank">www.wikipedia.org</a><<a href="http://www.wikipedia.org" target="_blank">http://www.wikipedia.org</a>> > > > > > > > > > > > > > -- > > > > > > > Linux-audit mailing list > > > > > > > <a href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a> <javascript:;> <javascript:;> > > > > > > > <a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a> > > > > > > > > > > > > > > > > > > - RGB > > > > > > > > > > > > -- > > > > > > Richard Guy Briggs <<a href="mailto:rbriggs@redhat.com">rbriggs@redhat.com</a> <javascript:;> > > > > > > <javascript:;>> Senior Software Engineer, Kernel Security, > > > > > > AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, > > > > > > Canada > > > > > > Voice: <a href="tel:%2B1.647.777.2635" value="+16477772635">+1.647.777.2635</a>, Internal: (81) 32635, Alt: > > > > > > <a href="tel:%2B1.613.693.0684x3545" value="+16136930684">+1.613.693.0684x3545</a> > > > > > > > > > > > > > > > > > > > > > -- > > > > > Please Donate to <a href="http://www.wikipedia.org" target="_blank">www.wikipedia.org</a> > > > > > > > > - RGB > > > > > > > > -- > > > > Richard Guy Briggs <<a href="mailto:rbriggs@redhat.com">rbriggs@redhat.com</a> <javascript:;>> Senior > > > > Software Engineer, Kernel Security, AMER ENG Base Operating > > > > Systems, Red Hat Remote, Ottawa, Canada > > > > Voice: <a href="tel:%2B1.647.777.2635" value="+16477772635">+1.647.777.2635</a>, Internal: (81) 32635, Alt: > > > > <a href="tel:%2B1.613.693.0684x3545" value="+16136930684">+1.613.693.0684x3545</a> > > > > > > > > > > > > > -- > > > Please Donate to <a href="http://www.wikipedia.org" target="_blank">www.wikipedia.org</a> > > > > - RGB > > > > -- > > Richard Guy Briggs <<a href="mailto:rbriggs@redhat.com">rbriggs@redhat.com</a>> Senior Software Engineer, > > Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, > > Ottawa, Canada > > Voice: <a href="tel:%2B1.647.777.2635" value="+16477772635">+1.647.777.2635</a>, Internal: (81) 32635, Alt: > > <a href="tel:%2B1.613.693.0684x3545" value="+16136930684">+1.613.693.0684x3545</a> > > - RGB > > -- > Richard Guy Briggs <<a href="mailto:rbriggs@redhat.com">rbriggs@redhat.com</a>> Senior Software Engineer, > Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, > Ottawa, Canada > Voice: <a href="tel:%2B1.647.777.2635" value="+16477772635">+1.647.777.2635</a>, Internal: (81) 32635, Alt: > <a href="tel:%2B1.613.693.0684x3545" value="+16136930684">+1.613.693.0684x3545</a> > #include <stdio.h> > #include <stdlib.h> > #include <sys/stat.h> > #include <fcntl.h> > #include <unistd.h> > #include <errno.h> > > void create_load(int iters); > void cleanup(); > > int high_rate = 0; > int num_iters = 100000; > int fd1; > char file1[50]; > char file2[50]; > char dir1[50]; > char symlink1[50]; > > /* Purpose: To create system load by invoking system calls used by templates. > * > * Note: The unlink(2) of a file can be an expensive operation (i.e., event > * rate goes way down). > */ > > main(int argc, char **argv) { > > int num_children=1; > int iters; > int i; > char c; > > while ((c = getopt(argc, argv, "hi:")) != -1) { > switch (c) { > case 'h': > /* > * Desire "high" event rate > */ > high_rate = 1; > argc--; > break; > case 'i': > /* > * Desire a specified number of iterations > */ > num_iters = atoi(optarg); > argc--; > break; > default: > fprintf(stderr,"Unknown option: %c\n",optarg); > exit(1); > } > } > > > /*if(argv[optind] != NULL) { > num_children = atoi(argv[optind]); > } else { > num_children = 0; > } > Register cleanup routine */ > fprintf(stderr,"Registering cleanup routine...\n"); > if (atexit(cleanup) == -1) { > fprintf(stderr,"Error calling atexit(), errno=%d(%s)\n", > errno,strerror(errno)); > exit(1); > } > > > /* fork child processes, if any requested */ > for(i=1; i < num_children; i++) { > if(fork() == 0) { > > printf("child pid: %d\n",getpid()); > > /* Setup file names based on child's pid */ > sprintf(file1,"./file1_%d",getpid()); > sprintf(file2,"./file2_%d",getpid()); > sprintf(dir1,"./dir1_%d",getpid()); > sprintf(symlink1,"./file1symlink_%d",getpid()); > > /* each child creates load */ > iters=0; > if (num_iters == -1) { > while(1) { > create_load(iters); > iters++; > if( (iters % 1000) == 0) { > printf("pid %d iteration %d\n",getpid(),iters); > } > } > } else { > while(iters < num_iters) { > create_load(iters); > iters++; > if( (iters % 1000) == 0) { > printf("pid %d iteration %d\n",getpid(),iters); > } > } > } > } > } > > /* Parent creates load also */ > printf("parent pid: %d\n",getpid()); > > /* Setup file names based on parent's pid */ > sprintf(file1,"./file1_%d",getpid()); > sprintf(file2,"./file2_%d",getpid()); > sprintf(dir1,"./dir1_%d",getpid()); > sprintf(symlink1,"./file1symlink_%d",getpid()); > > iters=0; > if (num_iters == -1) { > while(1) { > create_load(iters); > iters++; > if( (iters % 1000) == 0) { > printf("pid %d iteration %d\n",getpid(),iters); > } > } > } else { > while(iters < num_iters) { > create_load(iters); > iters++; > if( (iters % 1000) == 0) { > printf("pid %d iteration %d\n",getpid(),iters); > } > } > } > > } /* main */ > > > void create_load(int iters) { > > int pid; > char *args[2]; > struct stat stat_buf; > > fd1 = creat(file1,0x644); > if (fd1 == -1) { > fprintf(stderr,"pid %d: creat() returned error for file %s, errno=%d(%s)\n", > getpid(),file1,errno,strerror(errno)); > exit(1); > } > if (close(fd1) == -1) { > fprintf(stderr,"pid %d: close() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > fd1 = open(file1, O_RDWR, 0777); > if (fd1 == -1) { > fprintf(stderr,"pid %d: open() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > > /* Chown this file to root instead of user ids so that we don't generate a > * non-owned alert when the file is truncated when invoking creat() again > * as root on an existing file owned by another user. > */ > if (chown(file1,0,0) == -1) { > fprintf(stderr,"pid %d: chown(%d,%d) returned error, errno=%d(%s)\n", > getpid(),0,0,errno,strerror(errno)); > exit(1); > } > > if (fchown(fd1,0,0) == -1) { > fprintf(stderr,"pid %d: fchown(%d,%d) returned error, errno=%d(%s)\n", > getpid(),0,0,errno,strerror(errno)); > exit(1); > } > > if (chmod(file1, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) == -1) { > fprintf(stderr,"pid %d: chmod(S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > if (fchmod(fd1, S_IXUSR|S_IXGRP|S_IXOTH) == -1) { > fprintf(stderr,"pid %d: fchmod(S_IXUSR|S_IXGRP|S_IXOTH) returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > > > if (write(fd1,"Some stuff",strlen("Some stuff")) == -1) { > fprintf(stderr,"pid %d: write() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > if (ftruncate(fd1,7) == -1) { > fprintf(stderr,"pid %d: ftruncate() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > if (close(fd1) == -1) { > fprintf(stderr,"pid %d: close() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > > if (truncate(file1,3) == -1) { > fprintf(stderr,"pid %d: truncate() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > if (rename(file1,file2) == -1) { > fprintf(stderr,"pid %d: rename(%s,%s) returned error, errno=%d(%s)\n", > getpid(),file1,file2,errno,strerror(errno)); > exit(1); > } > if (rename(file2,file1) == -1) { > fprintf(stderr,"pid %d: rename(%s,%s) returned error, errno=%d(%s)\n", > getpid(),file2,file1,errno,strerror(errno)); > exit(1); > } > if (link(file1,file2) == -1) { > fprintf(stderr,"pid %d: link(%s,%s) returned error, errno=%d(%s)\n", > getpid(),file1,file2,errno,strerror(errno)); > exit(1); > } > if (symlink(file1,symlink1) == -1) { > fprintf(stderr,"pid %d: symlink(%s,%s) returned error, errno=%d(%s)\n", > getpid(),file1,symlink1,errno,strerror(errno)); > exit(1); > } > if (lchown(symlink1,0,0) == -1) { > fprintf(stderr,"pid %d: lchown(%s,%d,%d) returned error, errno=%d(%s)\n", > getpid(),symlink1,0,0,errno,strerror(errno)); > exit(1); > } > > if (lstat(symlink1,&stat_buf) == -1) { > fprintf(stderr,"pid %d: lstat(%s) returned error, errno=%d(%s)\n", > getpid(),symlink1,errno,strerror(errno)); > exit(1); > } > if (stat(file1,&stat_buf) == -1) { > fprintf(stderr,"pid %d: stat(%s) returned error, errno=%d(%s)\n", > getpid(),file1,errno,strerror(errno)); > exit(1); > } > if (unlink(file1) == -1) { > fprintf(stderr,"pid %d: unlink(%s) returned error, errno=%d(%s)\n", > getpid(),file1,errno,strerror(errno)); > exit(1); > } > if (unlink(file2) == -1) { > fprintf(stderr,"pid %d: unlink(%s) returned error, errno=%d(%s)\n", > getpid(),file2,errno,strerror(errno)); > exit(1); > } > if (unlink(symlink1) == -1) { > fprintf(stderr,"pid %d: unlink(%s) returned error, errno=%d(%s)\n", > getpid(),symlink1,errno,strerror(errno)); > exit(1); > } > if (mkdir(dir1,S_IRUSR|S_IWUSR|S_IXUSR|S_IRGRP|S_IXGRP) == -1) { > fprintf(stderr,"pid %d: mkdir() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > if (rmdir(dir1) == -1) { > fprintf(stderr,"pid %d: rmdir() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > > /* Fork every 10000 iterations to not use up process resources too quickly */ > if ( (iters % 10000) == 0) { > pid = fork(); > if(pid == 0) { > fprintf(stderr,"child pid %d: fork!\n",getpid()); > // child > args[0] = "/bin/ls"; > args[1] = NULL; > close(1); > close(2); > execve(args[0], args, NULL); > fprintf(stderr,"pid %d: execve(%s) returned error, errno=%d(%s)\n", > getpid(),args[0],errno,strerror(errno)); > _exit(1); > } else if (pid < 0) { > fprintf(stderr,"pid %d: fork() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } else { > fprintf(stderr,"parent pid %d, child pid: %d: fork!\n",getpid(),pid); > } > > pid = vfork(); > if(pid == 0) { > args[0] = "/bin/pwd"; > args[1] = NULL; > close(1); > close(2); > execv(args[0], args); > fprintf(stderr,"pid %d: execve(%s) returned error, errno=%d(%s)\n", > getpid(),args[0],errno,strerror(errno)); > _exit(1); > } else if (pid < 0) { > fprintf(stderr,"pid %d: vfork() returned error, errno=%d(%s)\n", > getpid(),errno,strerror(errno)); > exit(1); > } > } > > /* Make sure everything is cleaned up and deleted before returning */ > cleanup(); > > } /* create_load() */ > > void cleanup() { > close(fd1); > unlink(file1); > unlink(file2); > unlink(symlink1); > unlink(dir1); > return; > } > -- > Linux-audit mailing list > <a href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a> > <a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a> - RGB -- Richard Guy Briggs <<a href="mailto:rbriggs@redhat.com">rbriggs@redhat.com</a>> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: <a href="tel:%2B1.647.777.2635" value="+16477772635">+1.647.777.2635</a>, Internal: (81) 32635, Alt: <a href="tel:%2B1.613.693.0684x3545" value="+16136930684">+1.613.693.0684x3545</a> </div></div> -- Linux-audit mailing list <a href="mailto:Linux-audit@redhat.com">Linux-audit@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/linux-audit" target="_blank">https://www.redhat.com/mailman/listinfo/linux-audit</a> </blockquote></div> <div> </div>-- <div class="gmail_signature">Please Donate to <a href="http://www.wikipedia.org">www.wikipedia.org</a></div> </div>