[PATCH V1] audit: add warning that an old auditd may be starved out by a new auditd
Richard Guy Briggs
rgb at redhat.com
Thu Sep 17 11:35:39 UTC 2015
On 15/09/16, Paul Moore wrote:
> On Wed, Sep 16, 2015 at 6:24 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > On 15/09/14, Paul Moore wrote:
> >> On Sunday, September 13, 2015 12:08:19 PM Richard Guy Briggs wrote:
> >> > On 15/09/11, Paul Moore wrote:
> >> > > Although I suppose if nothing else we could send a record indicating
> >> > > that another auditd attempted to replace it ... if we can send it
> >> > > great, drop the new request and be glad we audited it, if we can't
> >> > > send it, reset the auditd tracking.
> >> >
> >> > This is actually a good idea.
> >>
> >> This would go well with your last patch to try harder on netlink send
> >> failures.
> >
> > Re-looking at the AUDIT_STATUS_PID case, I'm noticing we only
> > audit_log_config_change() on success. At the moment, auditd userspace
> > doesn't know about this new AUDIT_PING netlink message type I'm adding
> > for testing the health of the existing audit, so it will just be dropped
> > by existing auditd. I think it makes sense to add
> > audit_log_config_change() on both the orphaning and starving cases
> > indicating the result=0 so that there is a record. Arguably the
> > orphaning case can never happen again since the starving fix will
> > prevent a newer auditd from running.
>
> Just so I'm clear, the "starving" case is when a new auditd tries to
> evict a perfectly good auditd?
Not evict so much as trample. It just stomps on the existing audit_pid
reference and the old one isn't aware (unless it sends a status request
and checks the PID value) that it has been supplanted.
> Otherwise, I think adding a result/success field to the
> AUDIT_CONFIG_CHANGE record makes sense as long as it doesn't break
> Steve's parsing code (I don't think it will, although it may simply
> ignore it, which is okay).
It is already there, but never used for anything but success. I'm
proposing to add code to actually report the failures too.
> paul moore
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list