<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<pre>When we add "audit=1" to the cmdline, kauditd will take up 100%
cpu resource.As follows:</pre>
<div class="moz-forward-container">
<blockquote>
<pre>configurations:
auditctl -b 64
auditctl --backlog_wait_time 60000
auditctl -r 0
auditctl -w /root/aaa -p wrx
shell scripts:
#!/bin/bash
i=0
while [ $i -le 66 ]
do
touch /root/aaa
let i++
done
mandatory conditions:</pre>
</blockquote>
<blockquote>
<blockquote>
<pre>add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd).</pre>
</blockquote>
</blockquote>
<p> </p>
<pre> As long as we keep the audit_hold_queue non-empty, flush the hold queue will fall into
an infinite loop. </pre>
<p> </p>
<blockquote type="cite">713 static int kauditd_send_queue(struct
sock *sk, u32 portid,<br>
714 struct sk_buff_head *queue,<br>
715 unsigned int retry_limit,<br>
716 void (*skb_hook)(struct
sk_buff *skb),<br>
717 void (*err_hook)(struct
sk_buff *skb))<br>
718 {<br>
719 int rc = 0;<br>
720 struct sk_buff *skb;<br>
721 unsigned int failed = 0;<br>
722<br>
723 /* NOTE: kauditd_thread takes care of all our
locking, we just use<br>
724 * the netlink info passed to us (e.g. sk and
portid) */<br>
725<br>
726 while ((skb = skb_dequeue(queue))) {<br>
727 /* call the skb_hook for each skb we touch
*/<br>
728 if (skb_hook)<br>
729 (*skb_hook)(skb);<br>
730<br>
731 /* can we send to anyone via unicast? */<br>
732 if (!sk) {<br>
733 if (err_hook)<br>
734 (*err_hook)(skb);<br>
735 continue;<br>
736 }<br>
737<br>
738 retry:<br>
739 /* grab an extra skb reference in case of
error */<br>
740 skb_get(skb);<br>
741 rc = netlink_unicast(sk, skb, portid, 0);<br>
742 if (rc < 0) {<br>
743 /* send failed - try a few times
unless fatal error */<br>
744 if (++failed >= retry_limit ||<br>
745 rc == -ECONNREFUSED || rc ==
-EPERM) {<br>
746 sk = NULL;<br>
747 if (err_hook)<br>
748 (*err_hook)(skb);<br>
749 if (rc == -EAGAIN)<br>
750 rc = 0;<br>
751 /* continue to drain the
queue */<br>
752 continue;<br>
753 } else<br>
754 goto retry;<br>
755 } else {<br>
756 /* skb sent - drop the extra
reference and continue */<br>
757 consume_skb(skb);<br>
758 failed = 0;<br>
759 }<br>
760 }<br>
761<br>
762 return (rc >= 0 ? 0 : rc);<br>
763 }</blockquote>
<pre>When kauditd attempt to flush the hold queue, the queue parameter is &audit_hold_queue,
and if netlink_unicast(line 741 ) return -EAGAIN, sk will be NULL(line 746), so err_hook(kauditd_rehold_skb)
will be call. Then continue, skb_dequeue(line 726) and err_hook(kauditd_rehold_skb,line 733) will
fall into an infinite loop.
I don't really understand the value of audit_hold_queue, can we remove it, or stop droping the logs
into kauditd_rehold_skb when the auditd is abnormal?
Look forward your reply. Thank you very much.</pre>
<pre>Gaosheng.
</pre>
</div>
</body>
</html>