Bug in Queue Statistics?

Bug in Queue Statistics?

[Amjad Gabbar]

[-- Attachment #1.1: Type: text/plain, Size: 3222 bytes --]

Hi Everyone,

Had a couple of concerns that I wanted to discuss:

1.

I was getting a few "auditd queue full" messages in syslog. I had
previously faced similar issues after which I had increased the q_depth and
modified my ruleset to reduce the number of events logged which had brought
down these errors significantly.

However, once I started receiving the same error, I examined the auditd
logs using aureport and ausearch and to my surprise there were hardly any
events during the given time period. To debug this, when I generated the
queue statistics, the numbers I saw seem to indicate very strongly that
there is a bug somewhere in the code.

This seemed to be the case on multiple machines.
Output of /var/run/auditd.state:

sudo cat /run/auditd.state

                current time = 03/02/22 18:30:47 process priority = -4
writing to logs = no Number of active plugins = 1 current plugin queue
depth = 4294967240 max plugin queue depth used = 4294967295 plugin queue
size = 25000 plugin queue overflow detected = yes plugin queueing suspended
= no listening for network connections = no

I am not sure but the only way I can think that max plugin queue depth used
can be 4294967295 (despite the maxlimit being set to 25000) is if we
dequeue an event before it has been enqueued. Also, the current plugin
queue depth suggests that events are being dequeued continuously leading to
the value decreasing from 4294967295 to 4294967240?

Not really sure what is going on here but my guess was the queue elements
were not made NULL and the queue variables were reset?

2.

Another update that I would like to make is currently, if we reload the
auditd configuration instead of restarting, although the configuration
changes, we do not reset some of the queue statistic variables which I feel
is incorrect.

https://github.com/linux-audit/audit-userspace/blob/770e4f538103f8a055f46c04a9e2514f88f175c3/src/auditd-event.c#L1466

Ex- If q_depth=400 and the queue overflows, the overflowed variable is set
to 1. On changing the q_depth value to say 10000 and doing a reload, the
queue size has changed and basically so has the queue. I feel here we
should reset some of the queue statistic variables like overflowed as it is
incorrect to say that in it's current form the queue has overflown. This
variable is not reset and I feel that it should be.

If agreed that this is a reasonable change, would it be ok if I submit a PR
for the same?
Also, is it possible that point 2 is causing issues leading to point 1
errors?

3. Would also like to improve the manpage documentation related to
/var/run/auditd.state. Currently it states that it is a dump of the  internal
state. I would like to change that to provide a little more detail about
what the internal state contains - such as queue statistics, priority etc.

Apart from that I feel that we can also add an additonal field to the
auditd.state file as to when the queue has overflown which may make it
easier to perform ausearch related queries with start time and end time.

If any of the changes are worth contributing to I would be happy to make
the said changes.

But yeah, I guess the priority right now should be point1 and we can think
of the others post that.

[-- Attachment #1.2: Type: text/html, Size: 7182 bytes --]

[-- Attachment #2: Type: text/plain, Size: 106 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Bug in Queue Statistics?

[Steve Grubb]

Hello,

On Wednesday, March 2, 2022 4:45:07 PM EST Amjad Gabbar wrote:
> Had a couple of concerns that I wanted to discuss:

Thanks for the report. Before I answer the full email, which version of 
auditd are you using? I want to make sure I'm looking at the right code when 
answering.

Thanks,
-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: Bug in Queue Statistics?

[Steve Grubb]

Hello,

On Wednesday, March 2, 2022 4:45:07 PM EST Amjad Gabbar wrote:
> Had a couple of concerns that I wanted to discuss:
> 
> 1.
> 
> I was getting a few "auditd queue full" messages in syslog. I had
> previously faced similar issues after which I had increased the q_depth and
> modified my ruleset to reduce the number of events logged which had
> brought down these errors significantly.

<snip>

> I am not sure but the only way I can think that max plugin queue depth used
> can be 4294967295 (despite the maxlimit being set to 25000) is if we
> dequeue an event before it has been enqueued. Also, the current plugin
> queue depth suggests that events are being dequeued continuously leading
> to the value decreasing from 4294967295 to 4294967240?

I have a feeling this is hard to get into, but is something like the queue 
gets suspended, reconfigure gets rid of plugins, another reconfigure adds back 
plugins and this resets the queue depth to 0, but there are events. As it 
dequeues them it starts getting negative numbers, but the variable is undined 
int hence the very large numbers.

I changed the way that init and reconfigure interact in commit 514d2bd. When 
the queue is destroyed, it resets all the numbers. Otherwise it will now 
leave them alone unless q_depth is zero - which means we need to reallocate a 
queue.

> 2.
> 
> Another update that I would like to make is currently, if we reload the
> auditd configuration instead of restarting, although the configuration
> changes, we do not reset some of the queue statistic variables which I feel
> is incorrect.
> 
> https://github.com/linux-audit/audit-userspace/blob/770e4f538103f8a055f46c0
> 4a9e2514f88f175c3/src/auditd-event.c#L1466
> 
> Ex- If q_depth=400 and the queue overflows, the overflowed variable is set
> to 1. On changing the q_depth value to say 10000 and doing a reload, the
> queue size has changed and basically so has the queue. I feel here we
> should reset some of the queue statistic variables like overflowed as it is
> incorrect to say that in it's current form the queue has overflown. This
> variable is not reset and I feel that it should be.

This sounds reasonable. Commit a8d7515 should fix this.

> If agreed that this is a reasonable change, would it be ok if I submit a PR
> for the same?

It's a 1 liner. Thanks, though.

> Also, is it possible that point 2 is causing issues leading to point 1
> errors?

No.

> 3. Would also like to improve the manpage documentation related to
> /var/run/auditd.state. Currently it states that it is a dump of the 
> internal state. I would like to change that to provide a little more
> detail about what the internal state contains - such as queue statistics,
> priority etc.

That might be a lot to document. I don't know if anything else will get 
added, but if that happens, we'll have to document that. If this was done, 
I'd say it should go in the auditd man page.

> Apart from that I feel that we can also add an additonal field to the
> auditd.state file as to when the queue has overflown which may make it
> easier to perform ausearch related queries with start time and end time.

Would having it record down to the second be enough? IOW, no sub-second time 
stamp. If just the second is good enough, I can add that. It's only a couple 
lines of code.

> If any of the changes are worth contributing to I would be happy to make
> the said changes.

I don't plan to write a description of the state report. I'll take a PR, 
though.

Best,
-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit