From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Nandor Subject: Re: auditd restart atomic? Date: Tue, 7 Feb 2017 12:58:33 -0800 Message-ID: References: <20170207152614.GA26855@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2776291584561298999==" Return-path: In-Reply-To: <20170207152614.GA26855@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2776291584561298999== Content-Type: multipart/alternative; boundary=f403045ceef0d5b8840547f702e2 --f403045ceef0d5b8840547f702e2 Content-Type: text/plain; charset=UTF-8 Great, thanks Paul and Richard for the input (and we do have an 8192 backlog queue). We won't be doing immutable rules, but we'll document that when we change our chef recipes that update the config, that this will have the effect of deleting rules, so some events may not be logged. We have talked about using -e 2, but we're still working through our rules ... when we finalize them, we may go to that. Thanks, --Chris On Tue, Feb 7, 2017 at 7:26 AM, Richard Guy Briggs wrote: > On 2017-02-07 10:05, Paul Moore wrote: > > On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor wrote: > > > If I restart auditd, can it lose (not record to the logs) events that > happen > > > during the restart? Or is the restart (and reload of new rules) > essentially > > > atomic? > > > > The kernel maintains a backlog queue of audit records when auditd is > > not running and attempts to (re)send those records when auditd is > > started. However, the backlog queue size is fixed and it is possible > > to overflow the queue; if that happens a message will be sent to the > > kernel's ring buffer (dmesg). > > The default is 64, the value recommended in some documentation is 320, > but values of 8k (8192) have been recommended to have enough buffer for > events like an auditd restart. > > Chris, to answer the other half of your question, with respect to rules > being reloaded atomically, it isn't. My understanding is it starts with > a -D to clear out all the rules and then adds rules in sequence from the > /etc/audit/audit.rules file, so it would be possible to miss an event > because the rule did not re-exist yet, unless you set your last rule to > -e 2 to make the ruleset immutable, in which case the restart of auditd > will have no effect on the existing immutable rule set. > > > paul moore > > - RGB > > -- > Richard Guy Briggs > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 > --f403045ceef0d5b8840547f702e2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Great, thanks Paul and Richard for the input (and we do ha= ve an 8192 backlog queue).=C2=A0 We won't be doing immutable rules, but= we'll document that when we change our chef recipes that update the co= nfig, that this will have the effect of deleting rules, so some events may = not be logged.

We have talked about using -e 2, but we&#= 39;re still working through our rules ... when we finalize them, we may go = to that.

Thanks,

--Chris<= /div>


On Tue, Feb 7, 2017 at 7:26 AM, Richard Guy Briggs <rgb@redhat.com> wrote:
On = 2017-02-07 10:05, Paul Moore wrote:
> On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor <
pudge@pobox.com> wrote:
> > If I restart auditd, can it lose (not record to the logs) events = that happen
> > during the restart?=C2=A0 Or is the restart (and reload of new ru= les) essentially
> > atomic?
>
> The kernel maintains a backlog queue of audit records when auditd is > not running and attempts to (re)send those records when auditd is
> started.=C2=A0 However, the backlog queue size is fixed and it is poss= ible
> to overflow the queue; if that happens a message will be sent to the > kernel's ring buffer (dmesg).

The default is 64, the value recommended in some documentation is 32= 0,
but values of 8k (8192) have been recommended to have enough buffer for
events like an auditd restart.

Chris, to answer the other half of your question, with respect to rules
being reloaded atomically, it isn't.=C2=A0 My understanding is it start= s with
a -D to clear out all the rules and then adds rules in sequence from the /etc/audit/audit.rules file, so it would be possible to miss an event
because the rule did not re-exist yet, unless you set your last rule to
-e 2 to make the ruleset immutable, in which case the restart of auditd
will have no effect on the existing immutable rule set.

> paul moore

- RGB

--
Richard Guy Briggs <rgb@redhat.com= >
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.= 2635, Internal: (81) 32635

--f403045ceef0d5b8840547f702e2-- --===============2776291584561298999== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2776291584561298999==--