Bug in Queue Statistics?

Thu Mar 3 22:23:17 UTC 2022

Hello,

On Wednesday, March 2, 2022 4:45:07 PM EST Amjad Gabbar wrote:
> Had a couple of concerns that I wanted to discuss:
> 
> 1.
> 
> I was getting a few "auditd queue full" messages in syslog. I had
> previously faced similar issues after which I had increased the q_depth and
> modified my ruleset to reduce the number of events logged which had
> brought down these errors significantly.

<snip>

> I am not sure but the only way I can think that max plugin queue depth used
> can be 4294967295 (despite the maxlimit being set to 25000) is if we
> dequeue an event before it has been enqueued. Also, the current plugin
> queue depth suggests that events are being dequeued continuously leading
> to the value decreasing from 4294967295 to 4294967240?

I have a feeling this is hard to get into, but is something like the queue 
gets suspended, reconfigure gets rid of plugins, another reconfigure adds back 
plugins and this resets the queue depth to 0, but there are events. As it 
dequeues them it starts getting negative numbers, but the variable is undined 
int hence the very large numbers.

I changed the way that init and reconfigure interact in commit 514d2bd. When 
the queue is destroyed, it resets all the numbers. Otherwise it will now 
leave them alone unless q_depth is zero - which means we need to reallocate a 
queue.

> 2.
> 
> Another update that I would like to make is currently, if we reload the
> auditd configuration instead of restarting, although the configuration
> changes, we do not reset some of the queue statistic variables which I feel
> is incorrect.
> 
> https://github.com/linux-audit/audit-userspace/blob/770e4f538103f8a055f46c0
> 4a9e2514f88f175c3/src/auditd-event.c#L1466
> 
> Ex- If q_depth=400 and the queue overflows, the overflowed variable is set
> to 1. On changing the q_depth value to say 10000 and doing a reload, the
> queue size has changed and basically so has the queue. I feel here we
> should reset some of the queue statistic variables like overflowed as it is
> incorrect to say that in it's current form the queue has overflown. This
> variable is not reset and I feel that it should be.

This sounds reasonable. Commit a8d7515 should fix this.

> If agreed that this is a reasonable change, would it be ok if I submit a PR
> for the same?

It's a 1 liner. Thanks, though.

> Also, is it possible that point 2 is causing issues leading to point 1
> errors?

No.

> 3. Would also like to improve the manpage documentation related to
> /var/run/auditd.state. Currently it states that it is a dump of the 
> internal state. I would like to change that to provide a little more
> detail about what the internal state contains - such as queue statistics,
> priority etc.

That might be a lot to document. I don't know if anything else will get 
added, but if that happens, we'll have to document that. If this was done, 
I'd say it should go in the auditd man page.

> Apart from that I feel that we can also add an additonal field to the
> auditd.state file as to when the queue has overflown which may make it
> easier to perform ausearch related queries with start time and end time.

Would having it record down to the second be enough? IOW, no sub-second time 
stamp. If just the second is good enough, I can add that. It's only a couple 
lines of code.

> If any of the changes are worth contributing to I would be happy to make
> the said changes.

I don't plan to write a description of the state report. I'll take a PR, 
though.

Best,
-Steve