983483 – audisp-remote terminates immediately with a non-empty queue

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 983483 - audisp-remote terminates immediately with a non-empty queue

Summary: audisp-remote terminates immediately with a non-empty queue

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	audit
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Steve Grubb
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	RHEL7CCC
TreeView+	depends on / blocked

Reported:	2013-07-11 10:03 UTC by Ondrej Moriš
Modified:	2013-07-16 22:52 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-07-16 22:52:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Ondrej Moriš 2013-07-11 10:03:12 UTC

Description of problem:

Changeset 771 in audit introduced the following change in audisp/plugins/remote/audisp-remote.c:

--- a/trunk/audisp/plugins/remote/audisp-remote.c
+++ b/trunk/audisp/plugins/remote/audisp-remote.c
@@ -553,6 +553,5 @@
                 if (sock > 0 && FD_ISSET(sock, &wfd)) {
                         // If so, try to drain backlog
-                        while (q_queue_length(queue) && !suspend &&
-                                        !stop && transport_ok)
+                        while (q_queue_length(queue)&& !suspend && transport_ok)
                                 send_one(queue);
                 }

In other words, once a stop request (controlled by term_handler) is set, audisp-remote plugin terminates even though some messages are left in the queue. Unfortunately this leads to the following behaviour:

# echo "ABC" | audisp-remote
# tail /var/log/messages
...
Jul 11 11:26:14 cc-toe3 audisp-remote: Connected to 10.0.0.2
Jul 11 11:26:14 cc-toe3 audisp-remote: Audisp-remote started with queue_size: 0
Jul 11 11:26:14 cc-toe3 audisp-remote: audisp-remote is exiting on stop request, queue_size: 1

And the "ABC" message is not recorded (it is lost in the unemptied queue). It seems that a stop request is "somehow" set too fast for some reason. I am bit lost in details, see also Additional info.

Version-Release number of selected component (if applicable):

audit-2.3.1-4.el7.x86_64

How reproducible:

100%

Steps to Reproduce:

1. configure auditd and audisp-remote plugin as follows:

auditd.conf:

log_group = root
priority_boost = 3    
tcp_listen_queue = 5
tcp_max_per_addr = 1                                             
tcp_client_max_idle = 0
name_format = none
enable_krb5 = no
krb5_principal = auditd
DISP_qos = lossy
log_file = /var/log/audit/audit.log
log_format = RAW
num_logs = 5
max_log_file = 1024
max_log_file_action = IGNORE
space_left = 2
space_left_action = IGNORE
admin_space_left = 1
admin_space_left_action = IGNORE
disk_full_action = IGNORE
disk_error_action = IGNORE
action_mail_acct = root
flush = INCREMENTAL
freq = 20
tcp_listen_port = 60
tcp_client_ports = 61

audisp-remote.conf:

port = 60                      
transport = tcp
queue_depth = 200
format = managed
network_retry_time = 1
max_tries_per_record = 3
max_time_per_record = 5
heartbeat_timeout = 15   
network_failure_action = IGNORE
disk_error_action = IGNORE
remote_ending_action = IGNORE
generic_error_action = IGNORE
generic_warning_action = IGNORE
disk_full_action = IGNORE
disk_low_action = IGNORE
remote_server = 10.0.0.2
local_port = 61
mode = immediate

2. restart the auditd service
3. echo "ABC" | audisp-remote
3. see /var/log/audit/audit.log (message should be there)

Actual results:

Message is not recorded.

Expected results:

Message is recorded.

Additional info:

Previously it worked in a way that even with a stop request set, the queue was emptied. This is better than non-emptying the backlog queue, but it caused problem when a queue was over-filled with hundreds of messages as follows:

...
Jul 11 11:41:08 cc-toe3 auditd[11883]: Audit daemon has no space left on logging partition
Jul 11 11:41:08 cc-toe3 audisp-remote: remote logging stopping due to remote server is low on disk space
...

From my point of view, the best solution might be to keep emptying the backlog queue even after the stop request with the assumption that the same messages are aggregated on dropped at same point (which has pitfalls too, but...).

Comment 1 Steve Grubb 2013-07-11 19:04:06 UTC

I'm not entirely sure that's a proper test for audisp-remote. What's happening is bash tears down the pipes between the processes as soon as the echo completes. When this happens it triggers the select and then it sees a term signal was received. It never had a chance to send the event.

In real life, we have to worry about systemd shutting down the system. It doesn't give much time until it sends sigkill to everything. What we do is just stop under the assumption that we can process any outstanding events next time, but we need to exit so that audispd can exit so that auditd can exit. One of those might finish first causing more fun.

If you really want to test like that, you might be better off just making a shell script that keeps stdout open a bit longer, like:

#!/bin/sh
echo $1
sleep 2

then ./slow-echo "ABCD" | audisp-remote

Comment 2 Ondrej Moriš 2013-07-16 22:52:22 UTC

Thanks Steve for your explanation and hint, both are very helpful and solves the problem. However, a new issues was revealed afterwards (Bug 985142). Since it was shown that this is not a bug, I am closing this bugzilla.

Note You need to log in before you can comment on or make changes to this bug.