From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008033120 Fedora/3.0-0.51.beta5rc2.fc9 Firefox/3.0b5 Description of problem: auditd grew from 40m to over 12GB in a test application run Tasks: 178 total, 2 running, 176 sleeping, 0 stopped, 0 zombie Cpu(s): 15.3%us, 52.6%sy, 0.0%ni, 14.2%id, 14.0%wa, 0.0%hi, 4.0%si, 0.0%st Mem: 6064320k total, 6034416k used, 29904k free, 94976k buffers Swap: 2040244k total, 1290880k used, 749364k free, 208632k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1874 root 17 -3 12.0g 4.6g 528 S 14.2 79.3 1:22.75 auditd Version-Release number of selected component (if applicable): audit-1.7-1.fc9.x86_64 How reproducible: Didn't try Steps to Reproduce: MLS/Permissive system with several daemons generating audit Actual Results: Rapidly increasing memory usage Expected Results: Stable memory usage Additional info:
Sorry about the wimpy bug report. The machine was becoming very sluggish and I was worried about losing the browser session when the machine died.
Can you give me any details about the auditd.conf file? I am curious if it was in the shipped default config or changed in any way. Thanks.
Created attachment 299935 [details] /etc/audit/audit.rules
Created attachment 299936 [details] /etc/audit/auditd.conf
The auditd configuration looks fairly simple. I was worried that you have email notification turned on or something else somewhat different like exec command kind of action. Were there anything related to auditd in syslog that was unusual? Which glibc was installed at the time? Have there been any recurrences?
OK, I found the memory leak. It was in the End of Event code. This would only be triggered on the 2.6.25 kernel since previous kernels do not send EOE records. audit-1.7-3.fc9 was built to address this problem, please give it a try.
I am closing this bug report as I'm pretty sure the leak I found is the one that is causing the problems. If you find a recurrance of this, please note the audit, kernel, and glibc versions. Thanks for reporting the problem.
1.7.3 fixed the memory leak for me.