Bug 440075

Summary: auditd memory leak (11GB in 5 minutes)
Product: [Fedora] Fedora Reporter: Joe Nall <joe>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dcole, john.wiseman, lenny
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-08 19:37:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/audit/audit.rules
none
/etc/audit/auditd.conf none

Description Joe Nall 2008-04-01 16:39:50 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008033120 Fedora/3.0-0.51.beta5rc2.fc9 Firefox/3.0b5

Description of problem:
auditd grew from 40m to over 12GB in a test application run

Tasks: 178 total,   2 running, 176 sleeping,   0 stopped,   0 zombie
Cpu(s): 15.3%us, 52.6%sy,  0.0%ni, 14.2%id, 14.0%wa,  0.0%hi,  4.0%si,  0.0%st
Mem:   6064320k total,  6034416k used,    29904k free,    94976k buffers
Swap:  2040244k total,  1290880k used,   749364k free,   208632k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                             
 1874 root      17  -3 12.0g 4.6g  528 S 14.2 79.3   1:22.75 auditd          

Version-Release number of selected component (if applicable):
audit-1.7-1.fc9.x86_64 

How reproducible:
Didn't try


Steps to Reproduce:
MLS/Permissive system with several daemons generating audit

Actual Results:
Rapidly increasing memory usage

Expected Results:
Stable memory usage

Additional info:
Comment 1 Joe Nall 2008-04-01 16:43:21 UTC 
Sorry about the wimpy bug report. The machine was becoming very sluggish and I was worried about 
losing the browser session when the machine died.
Comment 2 Steve Grubb 2008-04-01 16:53:55 UTC 
Can you give me any details about the auditd.conf file? I am curious if it was
in the shipped default config or changed in any way. Thanks.
Comment 3 Joe Nall 2008-04-01 18:03:52 UTC 
Created attachment 299935 [details]
/etc/audit/audit.rules
Comment 4 Joe Nall 2008-04-01 18:04:37 UTC 
Created attachment 299936 [details]
/etc/audit/auditd.conf
Comment 5 Steve Grubb 2008-04-04 21:35:20 UTC 
The auditd configuration looks fairly simple. I was worried that you have email
notification turned on or something else somewhat different like exec command
kind of action.

Were there anything related to auditd in syslog that was unusual? Which glibc
was installed at the time? Have there been any recurrences?
Comment 6 Steve Grubb 2008-04-05 01:48:29 UTC 
OK, I found the memory leak. It was in the End of Event code. This would only be
triggered on the 2.6.25 kernel since previous kernels do not send EOE records.
audit-1.7-3.fc9 was built to address this problem, please give it a try.
Comment 7 Steve Grubb 2008-04-08 19:37:59 UTC 
I am closing this bug report as I'm pretty sure the leak I found is the one that
is causing the problems. If you find a recurrance of this, please note the
audit, kernel, and glibc versions. Thanks for reporting the problem.
Comment 8 Joe Nall 2008-04-08 20:11:04 UTC 
1.7.3 fixed the memory leak for me.