Bug 315561 – Audit system drops messages which are too large

Bug 315561 - Audit system drops messages which are too large

Summary:	Audit system drops messages which are too large

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	audit (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Steve Grubb
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2007-10-02 12:22 EDT by Eric Paris
Modified:	2008-01-01 10:37 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-01-01 10:37:24 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
strace of auditd when I exec'd ls with a huge arg list (3.05 KB, text/plain) 2007-10-02 12:35 EDT, Eric Paris	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Eric Paris 2007-10-02 12:22:01 EDT

Description of problem:

If the kernel sends a huge message to the audit userspace (>8k) audit userspace
(somewhere) drops the message on the floor.

The kernel doesn't typically send messages that big, but in rawhide it's
possible to send a message up to size 32k.

I'd prefer to see audit userspace handle arbitrary message size, audit that it
dropped something, really anything other than silently losing information.

(p.s. i'm fixing the kernel to not be able to send such a large message where i
know it is possible)

Comment 1 Eric Paris 2007-10-02 12:31:48 EDT

recvfrom(3, "\275$\0\0\35\5\0\0\0\0\0\0\0\0\0\0audit(1191367234.497:17):
a0=\"ls\"\na1=\"--color=tty\"\na2=\"dir1/file1\"\na3=\"dir1/file10\"\na4=\"dir1/file11\"\na5=\"dir1/file12\"\na6=\"dir1/file13\"\na7=\"dir1/file14\"\na8=\"dir1/file15\"\na9=\"dir1/file16\"\na10=\"dir1/file17\"\na11=\"dir1/file18\"\na12=\"dir1/file19\"\na13=\"dir1/file2\"\na14=\"dir1/file20\"\na15=\"dir1/file21\"\na16=\"dir1/file22\"\na17=\"dir1/file23\"\na18=\"dir1/file24\"\na19=\"dir1/file25\"\na20=\"dir1/file26\"\na21=\"dir1/file27\"\na22=\"dir1/file28\"\na23=\"dir1/file29\"\na24=\"dir1/file3\"\na25=\"dir1/file30\"\na26=\"dir1/file31\"\na27=\"dir1/file32\"\na28=\"dir1/file33\"\na29=\"dir1/file34\"\na30=\"dir1/file35\"\na31=\"dir1/file36\"\na32=\"dir1/file37\"\na33=\"dir1/file38\"\na34=\"dir1/file39\"\na35=\"dir1/file4\"\na36=\"dir1/file40\"\na37=\"dir1/file41\"\na38=\"dir1/file42\"\na39=\"dir1/file43\"\na40=\"dir1/file44\"\na41=\"dir1/file45\"\na42=\"dir1/file46\"\na43=\"dir1/file47\"\na44=\"dir1/file48\"\na45=\"dir1/file49\"\na46=\"dir1/file5\"\na47=\"dir1/file50\"\na48=\"dir1/file6\"\na49=\"dir1/file7\"\na50=\"dir1/file8\"\na51=\"dir1/file9\"\na52=\"dir2/file1\"\na53=\"dir2/file10\"\na54=\"dir2/file11\"\na55=\"dir2/file12\"\na56"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 8988

Comment 2 Eric Paris 2007-10-02 12:35:55 EDT

Created attachment 213671 [details]
strace of auditd when I exec'd ls with a huge arg list

Comment 3 Steve Grubb 2008-01-01 10:37:24 EST

Since 1.6.4, the audit daemon now logs that a message was too large. This is
about all that can be done given the design.

Note You need to log in before you can comment on or make changes to this bug.