Bug 440075 - auditd memory leak (11GB in 5 minutes)
auditd memory leak (11GB in 5 minutes)
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Steve Grubb
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-01 12:39 EDT by Joe Nall
Modified: 2008-04-08 16:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-08 15:37:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/etc/audit/audit.rules (8.82 KB, text/plain)
2008-04-01 14:03 EDT, Joe Nall
no flags Details
/etc/audit/auditd.conf (499 bytes, text/plain)
2008-04-01 14:04 EDT, Joe Nall
no flags Details

  None (edit)
Description Joe Nall 2008-04-01 12:39:50 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008033120 Fedora/3.0-0.51.beta5rc2.fc9 Firefox/3.0b5

Description of problem:
auditd grew from 40m to over 12GB in a test application run

Tasks: 178 total,   2 running, 176 sleeping,   0 stopped,   0 zombie
Cpu(s): 15.3%us, 52.6%sy,  0.0%ni, 14.2%id, 14.0%wa,  0.0%hi,  4.0%si,  0.0%st
Mem:   6064320k total,  6034416k used,    29904k free,    94976k buffers
Swap:  2040244k total,  1290880k used,   749364k free,   208632k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND                                                                                             
 1874 root      17  -3 12.0g 4.6g  528 S 14.2 79.3   1:22.75 auditd          

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:
MLS/Permissive system with several daemons generating audit

Actual Results:
Rapidly increasing memory usage

Expected Results:
Stable memory usage

Additional info:
Comment 1 Joe Nall 2008-04-01 12:43:21 EDT
Sorry about the wimpy bug report. The machine was becoming very sluggish and I was worried about 
losing the browser session when the machine died.
Comment 2 Steve Grubb 2008-04-01 12:53:55 EDT
Can you give me any details about the auditd.conf file? I am curious if it was
in the shipped default config or changed in any way. Thanks.
Comment 3 Joe Nall 2008-04-01 14:03:52 EDT
Created attachment 299935 [details]
Comment 4 Joe Nall 2008-04-01 14:04:37 EDT
Created attachment 299936 [details]
Comment 5 Steve Grubb 2008-04-04 17:35:20 EDT
The auditd configuration looks fairly simple. I was worried that you have email
notification turned on or something else somewhat different like exec command
kind of action.

Were there anything related to auditd in syslog that was unusual? Which glibc
was installed at the time? Have there been any recurrences?
Comment 6 Steve Grubb 2008-04-04 21:48:29 EDT
OK, I found the memory leak. It was in the End of Event code. This would only be
triggered on the 2.6.25 kernel since previous kernels do not send EOE records.
audit-1.7-3.fc9 was built to address this problem, please give it a try.
Comment 7 Steve Grubb 2008-04-08 15:37:59 EDT
I am closing this bug report as I'm pretty sure the leak I found is the one that
is causing the problems. If you find a recurrance of this, please note the
audit, kernel, and glibc versions. Thanks for reporting the problem.
Comment 8 Joe Nall 2008-04-08 16:11:04 EDT
1.7.3 fixed the memory leak for me.

Note You need to log in before you can comment on or make changes to this bug.