[PATCH -next] audit: only print records that will be dropped via printk()
Paul Moore
paul at paul-moore.com
Wed Feb 23 22:00:15 UTC 2022
On Wed, Feb 23, 2022 at 4:41 AM Gaosheng Cui <cuigaosheng1 at huawei.com> wrote:
>
> When an admin enables audit at early boot via the "audit=1" kernel
> command line, netlink send errors seen will cause the audit subsystem
> to drop some records or return records to the queue. And all records
> will be printed via printk() in the kauditd_hold_skb(), but actually
> only the records that will be dropped need to be printed via printk().
>
> Signed-off-by: Gaosheng Cui <cuigaosheng1 at huawei.com>
> ---
> kernel/audit.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
When records are moved to the hold queue the system is in a bad state
so printing the record via printk() regardless of if the record is
able to be successfully queued or dropped is important. If this is
happening frequently on your system, this is likely a sign your system
is misconfigured.
--
paul-moore.com
More information about the Linux-audit
mailing list