Bug 1160046

Summary: RFE: If no audit daemon is running, but an audit multicast subscriber is around, then the kernel shouldn't forward audit data to kmsg
Product: [Fedora] Fedora Reporter: Lennart Poettering <lpoetter>
Component: kernelAssignee: Richard Guy Briggs <rbriggs>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, eparis, gansalmon, igeorgex, itamar, iweiss, jonathan, kernel-maint, kparal, madhu.chinakonda, mchehab, me, pachoramos1, prd-fedora, rcyriac, sauchter, sitsofe, steven, travier, zbyszek
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lennart Poettering 2014-11-03 22:25:38 UTC 
As discussed with Eric Paris: currently if no auditd is around, but an audit multicast subscriber is (such as journald from git), the kernel currently still pushes all log messages into the kernel log buffer. This has the effect that journald sees every message twice unless auditd is running: once via kmsg and once via netlink.
Comment 1 David Rheinsberg 2014-12-31 12:41:39 UTC 
Proposed fix is available on LKML:
http://thread.gmane.org/gmane.linux.kernel/1857321
Comment 2 Richard Guy Briggs 2014-12-31 16:22:31 UTC 
I am dubious this problem actually can be solved at the kernel level.  The multicast read-only socket was intended as a non-reliable delivery mechanism, so I don't see that detecting a multicast listener is sufficient grounds to stop writing to klog.  I would prefer to have userspace determine if the messages are equivalent and toss the duplicates.  If anything, I might make that a configurable option.
Comment 3 Eric Paris 2014-12-31 22:44:20 UTC 
Feels to me like a 'disable klog' audit command (AUDIT_SET) would work.  systemd could handle that when it starts it's mcast listener...

dedup in userspace is a bad/really hard idea. This patch works wonderfulls today, since systemd is the only known multicast listener and you are going to get the data in the same places, but I'm not sure its appropriate for every potential mcast listener...
Comment 4 Paul Moore 2015-01-05 16:00:04 UTC 
Once we resolve these last few serious outstanding bugs I'm going to be taking a long, hard look at the kernel's audit API (it's a terrible mess) and I'm considering delaying patches like this until after we fix the API (or perhaps as part of the API changes).
Comment 5 Jaroslav Reznik 2015-03-03 16:27:52 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 6 Adam Williamson 2015-04-17 01:15:07 UTC 
is this why some F22 systems seem to have their journals loaded with audit log spam?
Comment 7 Zbigniew Jędrzejewski-Szmek 2015-04-17 01:28:51 UTC 
No. This bug is about audit messages appearing twice in the journal in early boot: once through kmsg and second time through netlink. Normally audit is started somewhere in the boot process and messages stop being duplicated in the journal, although they are duplicated between /var/log/audit/audit.log and the journal. I'd guess that what you consider audit log spam is normal audit logs.
Comment 8 Adam Williamson 2015-04-17 01:53:12 UTC 
[adamw@adam SPECS]$ sudo journalctl -b | grep audit | wc -l
[sudo] password for adamw: 
2138
[adamw@adam SPECS]$ uptime
 18:53:05 up  6:58,  1 user,  load average: 1.54, 1.34, 1.26
Comment 9 Sitsofe Wheeler 2015-08-01 10:13:09 UTC 
Adam:
My crude understanding is that systemd enables auditing unconditionally (http://lists.freedesktop.org/archives/systemd-devel/2014-December/026591.html found via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773528 ) so the only way to stop audit messages being in the *journal* logs would be to disable auditing on the kernel command line... If people want to know how to stop systemd audit messages it would need to be in a separate bug (ideally referenced from this one).
Comment 10 Justin M. Forbes 2015-10-20 19:31:35 UTC 
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs.

Fedora 22 has now been rebased to 4.2.3-200.fc22.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23.

If you experience different issues, please open a new bug report for those.
Comment 11 Paul Moore 2015-10-20 21:37:37 UTC 
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.
Comment 12 Richard Guy Briggs 2018-11-26 22:00:05 UTC 
(In reply to David Herrmann from comment #1)
> Proposed fix is available on LKML:
> http://thread.gmane.org/gmane.linux.kernel/1857321

Link busted...  https://lkml.org/lkml/2014/12/31/99
Comment 13 Richard Guy Briggs 2018-11-26 22:14:09 UTC 
Created issue upstream: https://github.com/linux-audit/audit-kernel/issues/102