From: Richard Guy Briggs <rgb@redhat.com>
To: Alan Evangelista <alan.vitor@gmail.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: Backlog not working with kernel 3.10
Date: Tue, 16 Mar 2021 21:46:53 -0400 [thread overview]
Message-ID: <20210317014653.GT986374@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAKz+TUuPtycbqY37L3SJMsdJXw=3jW3_7fnSn0oJeP4QCV2TtQ@mail.gmail.com>
On 2021-03-16 18:25, Alan Evangelista wrote:
> AFAIK, the purpose of the backlog (a queue of audit events in the kernel)
> is to assure no events are lost when events are generated at a faster speed
> than they are consumed.
>
> I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
> test the backlog, but it seems it's not working at all.
>
> Audit rule:
> -a always,exit -F dir=/sasdata -F arch=b64 -S creat -S open -S openat -S
> unlink -S unlinkat -S symlink -S symlinkat -S link -S linkat -S rename -S
> renameat -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S
> mkdir -S mkdirat -S rmdir -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -k filesystem_op
>
> First I turned auditd off so that events are not consumed:
>
> # service stop auditd
>
> Then I make sure that the backlog size is greater than 0:
>
> # auditctl -s
> enabled 1
> failure 1
> pid 0
> rate_limit 5000
> backlog_limit 8192
> lost 0
> backlog 0
> loginuid_immutable 0 unlocked
>
> I have run some simple commands in /data that should be logged , e.g.
> touch file, mkdir dir. Finally, I have run auditctl-s and expected to see
> the backlog events counter go up, but it's still 0. If I start auditd
> again, the events are never logged. Am I missing something here?
So, since you haven't indicated if you have tried and tested this
already, please start by running those simple commands while the auditd
service is running and verifying that those commands do get logged as
expected. If they don't, fix that first.
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-03-17 1:47 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 21:25 Backlog not working with kernel 3.10 Alan Evangelista
2021-03-16 21:58 ` Paul Moore
2021-03-17 8:40 ` Alan Evangelista
2021-03-17 19:46 ` Paul Moore
2021-03-17 1:46 ` Richard Guy Briggs [this message]
[not found] ` <CAKz+TUsv2p3RM-Em=w3fcMP8ANQZt-H=NOMAxudGhNgjDWLRrw@mail.gmail.com>
2021-03-17 8:36 ` Fwd: " Alan Evangelista
2021-03-17 14:32 ` Lenny Bruzenak
2021-03-17 16:06 ` Richard Guy Briggs
2021-03-17 16:03 ` Richard Guy Briggs
2021-03-17 20:56 ` Alan Evangelista
2021-03-18 1:16 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210317014653.GT986374@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=alan.vitor@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).