From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=fFUY=IO=redhat.com=linux-audit-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	HTML_MESSAGE,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E194AC433DB
	for <linux-audit@archiver.kernel.org>; Tue, 16 Mar 2021 21:26:18 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 435D464F8A
	for <linux-audit@archiver.kernel.org>; Tue, 16 Mar 2021 21:26:18 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 435D464F8A
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-444-YPs7FLU8OTqX3lybpen_2Q-1; Tue, 16 Mar 2021 17:26:14 -0400
X-MC-Unique: YPs7FLU8OTqX3lybpen_2Q-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7DF3288127C;
	Tue, 16 Mar 2021 21:26:10 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id C23EC5D9D3;
	Tue, 16 Mar 2021 21:26:09 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5FCFB57DC1;
	Tue, 16 Mar 2021 21:26:07 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com
	[10.11.54.4])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 12GLQ5ax006499 for <linux-audit@listman.util.phx.redhat.com>;
	Tue, 16 Mar 2021 17:26:05 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 26C492027EB5; Tue, 16 Mar 2021 21:26:05 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 20FC52027EB4
	for <linux-audit@redhat.com>; Tue, 16 Mar 2021 21:25:59 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9045C10334AD
	for <linux-audit@redhat.com>; Tue, 16 Mar 2021 21:25:59 +0000 (UTC)
Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com
	[209.85.208.50]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-446-cF6hzSX2NlGK-k_QN85MKA-1; Tue, 16 Mar 2021 17:25:56 -0400
X-MC-Unique: cF6hzSX2NlGK-k_QN85MKA-1
Received: by mail-ed1-f50.google.com with SMTP id dm8so23307786edb.2
	for <linux-audit@redhat.com>; Tue, 16 Mar 2021 14:25:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
	bh=kj3b+u6IN/zyy6p88lpBofS/EgjasFFFhPNp6zJzWdo=;
	b=I9dfdXt3P6PEhefn5RYD1A9UlmlRzPoGlr1v3I8fQ2r5K64yf6M7QmxEBcVtxgi6Z9
	2Y0L3Fa/neXGu9ytcxy8TTfc6pLXHb9HAeD861+vRaBUms2n9p4lF+UfE86wz4btLr4v
	52weVLOy6FT9adLeoekKQG0DA6pICheKxM02ljLCxlmQ9UFfRh0ewA9N9z5zO3AHwYYw
	ihkYW0gY5Ev9Eljt5JP0ZlBpMI7LxB3MDGVIKT7QLSw3bR34chzjNhGHMPluLxVPS++s
	hRI8ftDgS6bYoxIeF7SYgGvtLTjAMLgRRg3j7JprqFoM2a1bQSCZKY+mLWBs0EOeSdIa
	0F0g==
X-Gm-Message-State: AOAM531RQzT9uoSCxknZTD3NW5jBmMplHsTvKlPzGju8Lm3sRC7TRayH
	jFsa9Ey/rZksq3Ily1E4nHeyNUW1VuHiHlEzBM2fhtWBUixZ7g==
X-Google-Smtp-Source: ABdhPJxBs/GNXGDSknzKcfiSpp9DS8vBfZXr64+kqe61wTQ1rqwNBmQsoWoBGRcQYpa7IbEY2aW26NYSaJMjzp79n+U=
X-Received: by 2002:a05:6402:138f:: with SMTP id
	b15mr37771252edv.121.1615929955275; 
	Tue, 16 Mar 2021 14:25:55 -0700 (PDT)
MIME-Version: 1.0
From: Alan Evangelista <alan.vitor@gmail.com>
Date: Tue, 16 Mar 2021 18:25:44 -0300
Message-ID: <CAKz+TUuPtycbqY37L3SJMsdJXw=3jW3_7fnSn0oJeP4QCV2TtQ@mail.gmail.com>
Subject: Backlog not working with kernel 3.10
To: Linux-Audit Mailing List <linux-audit@redhat.com>
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-loop: linux-audit@redhat.com
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: multipart/mixed; boundary="===============7536470791080439416=="

--===============7536470791080439416==
Content-Type: multipart/alternative; boundary="000000000000f7547505bdae0227"

--000000000000f7547505bdae0227
Content-Type: text/plain; charset="UTF-8"

AFAIK, the purpose of the backlog (a queue of audit events in the kernel)
is to assure no events are lost when events are generated at a faster speed
than they are consumed.

I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
test the backlog, but it seems it's not working at all.

Audit rule:
-a always,exit -F dir=/sasdata -F arch=b64 -S creat -S open -S openat -S
unlink -S unlinkat -S symlink -S symlinkat -S link -S linkat -S rename -S
renameat -S chmod -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S
mkdir -S mkdirat -S rmdir -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -k filesystem_op

First I turned auditd off so that events are not consumed:

# service stop auditd

Then I make sure that the backlog size is greater than 0:

# auditctl -s
enabled 1
failure 1
pid 0
rate_limit 5000
backlog_limit 8192
lost 0
backlog 0
loginuid_immutable 0 unlocked

I have run some simple commands in /data that  should be logged , e.g.
touch file, mkdir dir. Finally, I have run auditctl-s and expected to see
the backlog events counter go up, but it's still 0. If I start auditd
again, the events are never logged. Am I missing something here?

Thanks in advance.

--000000000000f7547505bdae0227
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">AFAIK, the purpose of the backlog (a queue of audit events=
 in the kernel) is to assure no events are lost when events are generated a=
t a faster speed than they are consumed.<div><br></div><div>I&#39;m using C=
entOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to test the backl=
og, but it seems it&#39;s not working at all.</div><div><br></div><div><div=
>Audit rule:</div><div>-a always,exit -F dir=3D/sasdata -F arch=3Db64 -S cr=
eat -S open -S openat -S unlink -S unlinkat -S symlink -S symlinkat -S link=
 -S linkat -S rename -S renameat -S chmod -S fchmod -S fchmodat -S chown -S=
 fchown -S fchownat -S mkdir -S mkdirat -S rmdir -S setxattr -S lsetxattr -=
S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k filesystem_op=
</div></div><div><br></div><div>First I turned auditd off so that events ar=
e not consumed:</div><div><br></div><div># service stop auditd</div><div><b=
r></div><div>Then I make sure that the backlog size is greater than 0:</div=
><div><br></div><div># auditctl -s<br>enabled 1<br>failure 1<br>pid 0<br>ra=
te_limit 5000<br>backlog_limit 8192<br>lost 0<br>backlog 0<br>loginuid_immu=
table 0 unlocked<br></div><div><br></div><div>I have run some simple comman=
ds in /data that=C2=A0 should be logged , e.g. touch file, mkdir dir. Final=
ly, I have run auditctl-s and expected to see the backlog events counter go=
 up, but it&#39;s still 0. If I start auditd again, the events are never lo=
gged. Am I missing something here?</div><div><br></div><div>Thanks in advan=
ce.</div></div>

--000000000000f7547505bdae0227--

--===============7536470791080439416==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
--===============7536470791080439416==--