From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: RHEL-AS-4.4 and auditd-1.0.14
Date: Sat, 10 Feb 2007 09:27:43 -0500
Message-ID: <200702100927.43533.sgrubb@redhat.com>
References: <8585B1BA-20C5-4733-B12E-A5B85ACE62F5@tusc.com.au>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <8585B1BA-20C5-4733-B12E-A5B85ACE62F5@tusc.com.au>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Simon Jones <sjones@tusc.com.au>
List-Id: linux-audit@redhat.com

On Thursday 08 February 2007 23:12, Simon Jones wrote:
> I've had a quick look over the archives and couldn't find anything, =A0
> so if this has already been fixed, please be kind...

No one has reported any problem of this kind.

> I went from using the standard CAPP.rules example file to the =A0
> following audit.rules file:

This reduces what the kernel is doing. Does this also reduce the number o=
f=20
events hitting your audit logs?


> -D
> -w /etc -p w -k ETC

This only records writes to the /etc directory and not the files in the /=
etc=20
directory.

> -w /etc/sysconfig -p w -k SYSCONFIG
> -w /caer/e/cnf -p w -k DMS_CNF
> -w /caer/g/cnf -p w -k GAS_CNF
> -w /bin/su -p x -k SBIN
>
> A glance at cat /proc/slabinfo shows that there may be a memory leak:
> After two minutes:
> size-32 =A0 =A0 =A0 =A0 =A0 =A013447 =A013447 =A0 =A0 32 =A0119 =A0 =A0=
1 : tunables =A0120 =A0 =A0
> 60 =A0 =A08 : slabdata =A0 =A0113 =A0 =A0113 =A0 =A0 =A00
> After several hours:
> size-32 =A0 =A0 =A0 =A0 =A0 18598891 18599105 =A0 =A0 32 =A0119 =A0 =A0=
1 : tunables =A0
> 120 =A0 60 =A0 =A08 : slabdata 156295 156295 =A0 =A0 =A00

I wonder if you still see the leak if you load the rules but do not start=
 the=20
audit daemon? We need to see if its a kernel memory leak or user space. I=
've=20
run valgrind against auditd and do not know of any leaks.

>
> Whereas on a server not running the auditd daemon a cat /proc/
> slabinfo gives:
> After two minutes:
> size-32 =A0 =A0 =A0 =A0 =A0 =A0 3556 =A0 3808 =A0 =A0 32 =A0119 =A0 =A0=
1 : tunables =A0120 =A0 =A0
> 60 =A0 =A08 : slabdata =A0 =A0 32 =A0 =A0 32 =A0 =A0 =A00
> After several hours:
> size-32 =A0 =A0 =A0 =A0 =A0 =A0 3601 =A0 3808 =A0 =A0 32 =A0119 =A0 =A0=
1 : tunables =A0120 =A0 =A0
> 60 =A0 =A08 : slabdata =A0 =A0 32 =A0 =A0 32 =A0 =A0 =A00

But do you still have the CAPP rules loaded?

> I found this https://bugzilla.redhat.com/bugzilla/show_bug.cgi?
> id=3D193542#c15 bug that seems to have a similar problem...

similar but different.

> If so has it been fixed in 1.0.15?

No one's reported such an issue...so no one's worked on it. The first ste=
p is=20
determining if the problem is kernel or user space. Please load the CAPP=20
rules without starting the audit daemon and see what that shows.

Thanks,
-Steve