Bug 315561 - Audit system drops messages which are too large
Audit system drops messages which are too large
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Steve Grubb
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-02 12:22 EDT by Eric Paris
Modified: 2008-01-01 10:37 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-01 10:37:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of auditd when I exec'd ls with a huge arg list (3.05 KB, text/plain)
2007-10-02 12:35 EDT, Eric Paris
no flags Details

  None (edit)
Description Eric Paris 2007-10-02 12:22:01 EDT
Description of problem:

If the kernel sends a huge message to the audit userspace (>8k) audit userspace
(somewhere) drops the message on the floor.

The kernel doesn't typically send messages that big, but in rawhide it's
possible to send a message up to size 32k.

I'd prefer to see audit userspace handle arbitrary message size, audit that it
dropped something, really anything other than silently losing information.

(p.s. i'm fixing the kernel to not be able to send such a large message where i
know it is possible)
Comment 1 Eric Paris 2007-10-02 12:31:48 EDT
recvfrom(3, "\275$\0\0\35\5\0\0\0\0\0\0\0\0\0\0audit(1191367234.497:17):
a0=\"ls\"\na1=\"--color=tty\"\na2=\"dir1/file1\"\na3=\"dir1/file10\"\na4=\"dir1/file11\"\na5=\"dir1/file12\"\na6=\"dir1/file13\"\na7=\"dir1/file14\"\na8=\"dir1/file15\"\na9=\"dir1/file16\"\na10=\"dir1/file17\"\na11=\"dir1/file18\"\na12=\"dir1/file19\"\na13=\"dir1/file2\"\na14=\"dir1/file20\"\na15=\"dir1/file21\"\na16=\"dir1/file22\"\na17=\"dir1/file23\"\na18=\"dir1/file24\"\na19=\"dir1/file25\"\na20=\"dir1/file26\"\na21=\"dir1/file27\"\na22=\"dir1/file28\"\na23=\"dir1/file29\"\na24=\"dir1/file3\"\na25=\"dir1/file30\"\na26=\"dir1/file31\"\na27=\"dir1/file32\"\na28=\"dir1/file33\"\na29=\"dir1/file34\"\na30=\"dir1/file35\"\na31=\"dir1/file36\"\na32=\"dir1/file37\"\na33=\"dir1/file38\"\na34=\"dir1/file39\"\na35=\"dir1/file4\"\na36=\"dir1/file40\"\na37=\"dir1/file41\"\na38=\"dir1/file42\"\na39=\"dir1/file43\"\na40=\"dir1/file44\"\na41=\"dir1/file45\"\na42=\"dir1/file46\"\na43=\"dir1/file47\"\na44=\"dir1/file48\"\na45=\"dir1/file49\"\na46=\"dir1/file5\"\na47=\"dir1/file50\"\na48=\"dir1/file6\"\na49=\"dir1/file7\"\na50=\"dir1/file8\"\na51=\"dir1/file9\"\na52=\"dir2/file1\"\na53=\"dir2/file10\"\na54=\"dir2/file11\"\na55=\"dir2/file12\"\na56"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 8988
Comment 2 Eric Paris 2007-10-02 12:35:55 EDT
Created attachment 213671 [details]
strace of auditd when I exec'd ls with a huge arg list
Comment 3 Steve Grubb 2008-01-01 10:37:24 EST
Since 1.6.4, the audit daemon now logs that a message was too large. This is
about all that can be done given the design.

Note You need to log in before you can comment on or make changes to this bug.