315561 – Audit system drops messages which are too large

Bug 315561 - Audit system drops messages which are too large

Summary: Audit system drops messages which are too large

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	audit
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Steve Grubb
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-10-02 16:22 UTC by Eric Paris
Modified:	2008-01-01 15:37 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2008-01-01 15:37:24 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
strace of auditd when I exec'd ls with a huge arg list (3.05 KB, text/plain) 2007-10-02 16:35 UTC, Eric Paris	no flags	Details
View All

Description Eric Paris 2007-10-02 16:22:01 UTC

Description of problem:

If the kernel sends a huge message to the audit userspace (>8k) audit userspace
(somewhere) drops the message on the floor.

The kernel doesn't typically send messages that big, but in rawhide it's
possible to send a message up to size 32k.

I'd prefer to see audit userspace handle arbitrary message size, audit that it
dropped something, really anything other than silently losing information.

(p.s. i'm fixing the kernel to not be able to send such a large message where i
know it is possible)

Comment 1 Eric Paris 2007-10-02 16:31:48 UTC

recvfrom(3, "\275$\0\0\35\5\0\0\0\0\0\0\0\0\0\0audit(1191367234.497:17):
a0=\"ls\"\na1=\"--color=tty\"\na2=\"dir1/file1\"\na3=\"dir1/file10\"\na4=\"dir1/file11\"\na5=\"dir1/file12\"\na6=\"dir1/file13\"\na7=\"dir1/file14\"\na8=\"dir1/file15\"\na9=\"dir1/file16\"\na10=\"dir1/file17\"\na11=\"dir1/file18\"\na12=\"dir1/file19\"\na13=\"dir1/file2\"\na14=\"dir1/file20\"\na15=\"dir1/file21\"\na16=\"dir1/file22\"\na17=\"dir1/file23\"\na18=\"dir1/file24\"\na19=\"dir1/file25\"\na20=\"dir1/file26\"\na21=\"dir1/file27\"\na22=\"dir1/file28\"\na23=\"dir1/file29\"\na24=\"dir1/file3\"\na25=\"dir1/file30\"\na26=\"dir1/file31\"\na27=\"dir1/file32\"\na28=\"dir1/file33\"\na29=\"dir1/file34\"\na30=\"dir1/file35\"\na31=\"dir1/file36\"\na32=\"dir1/file37\"\na33=\"dir1/file38\"\na34=\"dir1/file39\"\na35=\"dir1/file4\"\na36=\"dir1/file40\"\na37=\"dir1/file41\"\na38=\"dir1/file42\"\na39=\"dir1/file43\"\na40=\"dir1/file44\"\na41=\"dir1/file45\"\na42=\"dir1/file46\"\na43=\"dir1/file47\"\na44=\"dir1/file48\"\na45=\"dir1/file49\"\na46=\"dir1/file5\"\na47=\"dir1/file50\"\na48=\"dir1/file6\"\na49=\"dir1/file7\"\na50=\"dir1/file8\"\na51=\"dir1/file9\"\na52=\"dir2/file1\"\na53=\"dir2/file10\"\na54=\"dir2/file11\"\na55=\"dir2/file12\"\na56"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 8988

Comment 2 Eric Paris 2007-10-02 16:35:55 UTC

Created attachment 213671 [details]
strace of auditd when I exec'd ls with a huge arg list

Comment 3 Steve Grubb 2008-01-01 15:37:24 UTC

Since 1.6.4, the audit daemon now logs that a message was too large. This is
about all that can be done given the design.

Note You need to log in before you can comment on or make changes to this bug.