Bug 315561 - Audit system drops messages which are too large
Summary: Audit system drops messages which are too large
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-10-02 16:22 UTC by Eric Paris
Modified: 2008-01-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-01-01 15:37:24 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
strace of auditd when I exec'd ls with a huge arg list (3.05 KB, text/plain)
2007-10-02 16:35 UTC, Eric Paris
no flags Details

Description Eric Paris 2007-10-02 16:22:01 UTC
Description of problem:

If the kernel sends a huge message to the audit userspace (>8k) audit userspace
(somewhere) drops the message on the floor.

The kernel doesn't typically send messages that big, but in rawhide it's
possible to send a message up to size 32k.

I'd prefer to see audit userspace handle arbitrary message size, audit that it
dropped something, really anything other than silently losing information.

(p.s. i'm fixing the kernel to not be able to send such a large message where i
know it is possible)

Comment 1 Eric Paris 2007-10-02 16:31:48 UTC
recvfrom(3, "\275$\0\0\35\5\0\0\0\0\0\0\0\0\0\0audit(1191367234.497:17):
a0=\"ls\"\na1=\"--color=tty\"\na2=\"dir1/file1\"\na3=\"dir1/file10\"\na4=\"dir1/file11\"\na5=\"dir1/file12\"\na6=\"dir1/file13\"\na7=\"dir1/file14\"\na8=\"dir1/file15\"\na9=\"dir1/file16\"\na10=\"dir1/file17\"\na11=\"dir1/file18\"\na12=\"dir1/file19\"\na13=\"dir1/file2\"\na14=\"dir1/file20\"\na15=\"dir1/file21\"\na16=\"dir1/file22\"\na17=\"dir1/file23\"\na18=\"dir1/file24\"\na19=\"dir1/file25\"\na20=\"dir1/file26\"\na21=\"dir1/file27\"\na22=\"dir1/file28\"\na23=\"dir1/file29\"\na24=\"dir1/file3\"\na25=\"dir1/file30\"\na26=\"dir1/file31\"\na27=\"dir1/file32\"\na28=\"dir1/file33\"\na29=\"dir1/file34\"\na30=\"dir1/file35\"\na31=\"dir1/file36\"\na32=\"dir1/file37\"\na33=\"dir1/file38\"\na34=\"dir1/file39\"\na35=\"dir1/file4\"\na36=\"dir1/file40\"\na37=\"dir1/file41\"\na38=\"dir1/file42\"\na39=\"dir1/file43\"\na40=\"dir1/file44\"\na41=\"dir1/file45\"\na42=\"dir1/file46\"\na43=\"dir1/file47\"\na44=\"dir1/file48\"\na45=\"dir1/file49\"\na46=\"dir1/file5\"\na47=\"dir1/file50\"\na48=\"dir1/file6\"\na49=\"dir1/file7\"\na50=\"dir1/file8\"\na51=\"dir1/file9\"\na52=\"dir2/file1\"\na53=\"dir2/file10\"\na54=\"dir2/file11\"\na55=\"dir2/file12\"\na56"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 8988


Comment 2 Eric Paris 2007-10-02 16:35:55 UTC
Created attachment 213671 [details]
strace of auditd when I exec'd ls with a huge arg list

Comment 3 Steve Grubb 2008-01-01 15:37:24 UTC
Since 1.6.4, the audit daemon now logs that a message was too large. This is
about all that can be done given the design.


Note You need to log in before you can comment on or make changes to this bug.