Red Hat Bugzilla – Bug 440075
auditd memory leak (11GB in 5 minutes)
Last modified: 2008-04-08 16:11:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008033120 Fedora/3.0-0.51.beta5rc2.fc9 Firefox/3.0b5
Description of problem:
auditd grew from 40m to over 12GB in a test application run
Tasks: 178 total, 2 running, 176 sleeping, 0 stopped, 0 zombie
Cpu(s): 15.3%us, 52.6%sy, 0.0%ni, 14.2%id, 14.0%wa, 0.0%hi, 4.0%si, 0.0%st
Mem: 6064320k total, 6034416k used, 29904k free, 94976k buffers
Swap: 2040244k total, 1290880k used, 749364k free, 208632k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1874 root 17 -3 12.0g 4.6g 528 S 14.2 79.3 1:22.75 auditd
Version-Release number of selected component (if applicable):
Steps to Reproduce:
MLS/Permissive system with several daemons generating audit
Rapidly increasing memory usage
Stable memory usage
Sorry about the wimpy bug report. The machine was becoming very sluggish and I was worried about
losing the browser session when the machine died.
Can you give me any details about the auditd.conf file? I am curious if it was
in the shipped default config or changed in any way. Thanks.
Created attachment 299935 [details]
Created attachment 299936 [details]
The auditd configuration looks fairly simple. I was worried that you have email
notification turned on or something else somewhat different like exec command
kind of action.
Were there anything related to auditd in syslog that was unusual? Which glibc
was installed at the time? Have there been any recurrences?
OK, I found the memory leak. It was in the End of Event code. This would only be
triggered on the 2.6.25 kernel since previous kernels do not send EOE records.
audit-1.7-3.fc9 was built to address this problem, please give it a try.
I am closing this bug report as I'm pretty sure the leak I found is the one that
is causing the problems. If you find a recurrance of this, please note the
audit, kernel, and glibc versions. Thanks for reporting the problem.
1.7.3 fixed the memory leak for me.