From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 671BFC433E0 for ; Wed, 17 Mar 2021 01:47:17 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CD26664F3C for ; Wed, 17 Mar 2021 01:47:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CD26664F3C Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615945635; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=8DAehILplIkv2LLszD+X44EXO6NZad8pvKOa3bCyLkc=; b=KtBCRa6AOZf/vvRANJUhDvx7nrMNXZ+njLr0I2iEs9zk9a78W5oN3liEeRCwNXL6T9qcZ2 orn3NeNiB1jMce9g9MKv2IVpXHvCCat+vdEEYoP7GmGr9H7jMBlZNKGZf253KpJatM4iEg RQ9TB2LghNgli/e0RYqc+n3XGBhVEmw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-299-Cq5Uvb9ZPVawmLKQWgD7TA-1; Tue, 16 Mar 2021 21:47:14 -0400 X-MC-Unique: Cq5Uvb9ZPVawmLKQWgD7TA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0B1281084D71; Wed, 17 Mar 2021 01:47:10 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8C9415D9D3; Wed, 17 Mar 2021 01:47:08 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B23AF1800657; Wed, 17 Mar 2021 01:47:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12H1l3AE003548 for ; Tue, 16 Mar 2021 21:47:03 -0400 Received: by smtp.corp.redhat.com (Postfix) id 033565D9DC; Wed, 17 Mar 2021 01:47:03 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 34D635D9D3; Wed, 17 Mar 2021 01:46:56 +0000 (UTC) Date: Tue, 16 Mar 2021 21:46:53 -0400 From: Richard Guy Briggs To: Alan Evangelista Subject: Re: Backlog not working with kernel 3.10 Message-ID: <20210317014653.GT986374@madcap2.tricolour.ca> References: MIME-Version: 1.0 In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: linux-audit@redhat.com Cc: Linux-Audit Mailing List X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 2021-03-16 18:25, Alan Evangelista wrote: > AFAIK, the purpose of the backlog (a queue of audit events in the kernel) > is to assure no events are lost when events are generated at a faster speed > than they are consumed. > > I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to > test the backlog, but it seems it's not working at all. > > Audit rule: > -a always,exit -F dir=/sasdata -F arch=b64 -S creat -S open -S openat -S > unlink -S unlinkat -S symlink -S symlinkat -S link -S linkat -S rename -S > renameat -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S > mkdir -S mkdirat -S rmdir -S setxattr -S lsetxattr -S fsetxattr -S > removexattr -S lremovexattr -S fremovexattr -k filesystem_op > > First I turned auditd off so that events are not consumed: > > # service stop auditd > > Then I make sure that the backlog size is greater than 0: > > # auditctl -s > enabled 1 > failure 1 > pid 0 > rate_limit 5000 > backlog_limit 8192 > lost 0 > backlog 0 > loginuid_immutable 0 unlocked > > I have run some simple commands in /data that should be logged , e.g. > touch file, mkdir dir. Finally, I have run auditctl-s and expected to see > the backlog events counter go up, but it's still 0. If I start auditd > again, the events are never logged. Am I missing something here? So, since you haven't indicated if you have tried and tested this already, please start by running those simple commands while the auditd service is running and verifying that those commands do get logged as expected. If they don't, fix that first. - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit