Can AUDIT_LIST_RULES causes kthreadd-spam?
Paul Moore
paul at paul-moore.com
Wed May 3 21:27:13 UTC 2023
On Wed, May 3, 2023 at 5:14 PM Rinat Gadelshin <rgadelsh at gmail.com> wrote:
> Hello there =)
>
> My name is Rinat.
> I'm a newbie here (at Linux kernel developer community).
>
> My current job is to work with audit subsystem on different
> versions of Linux (and different kernel versions from 3.10 to the latest)
> with and without auditd.
>
> My program works behalf of root account and uses netlink
> (unicast or multicast depends of the kernel's version)
> to communicate with audit subsystem of the kernel.
>
> If actual audit rule list has been changed
> then my program should restore the configured audit rule list.
>
> To do it the program periodically (with 60 seconds interval)
> requests the actual rule list be sending AUDIT_LIST_RULES.
>
> All rules are receiving perfectly.
>
> But I've noticed that there are many (2K+ for 5 minutes test)
> kthreadd process have been spawned after that request
> (I've stubbed the poll code and compare logs).
Hi Rinat,
First, a quick note that audit discussions involving the upstream
Linux Kernel have moved to the audit at vger.kernel.org list (CC'd),
please direct future emails there.
Can you be more specific about the kernel threads you are seeing, are
you seeing multiple "kauditd" threads?
% ps -fC kauditd
UID PID PPID C STIME TTY TIME CMD
root 89 2 0 Apr28 ? 00:00:00 [kauditd]
> Please, can you point me, what can I do to avoid this kthreadd-spam.
>
> Thank you.
>
> Best regards
> Rinath
--
paul-moore.com
More information about the Linux-audit
mailing list