Bug#867486: Issue with the audit subsystem

To: Salvatore Bonaccorso <carnil@debian.org>, 867486@bugs.debian.org
Subject: Bug#867486: Issue with the audit subsystem
From: Laurent Bigonville <bigon@debian.org>
Date: Thu, 3 Aug 2017 14:38:25 +0200
Message-id: <[🔎] 7fb3ed3f-1d2f-51ac-90e2-a83f4cb9e3da@debian.org>
Reply-to: Laurent Bigonville <bigon@debian.org>, 867486@bugs.debian.org
In-reply-to: <[🔎] 20170803054634.g7fspolv4jhdsd56@eldamar.local>
References: <149936783589.31205.15825974872143618763.reportbug@valinor.bigon.be> <20170709195842.hamhyejyswa54bxr@eldamar.local> <714d4b50-f003-83bb-286c-347c1f947550@debian.org> <[🔎] 20170803054634.g7fspolv4jhdsd56@eldamar.local>

Le 03/08/17 à 07:46, Salvatore Bonaccorso a écrit :

Hi Laurent,

Hi,

Sorry for the lack of time and no reply to this.

On Fri, Jul 14, 2017 at 02:40:02PM +0200, Laurent Bigonville wrote:

Le 09/07/17 à 21:58, Salvatore Bonaccorso a écrit :

Hi

Hi,

Unconfirmed, but the behaviour you are seen might be related to the
changes which went in in 4.11 around
264d509637d95f9404e52ced5003ad352e0f6a26 .

https://git.kernel.org/linus/264d509637d95f9404e52ced5003ad352e0f6a26

I posted on the linux-audit mailing list and I get the following reply from
Paul Moore:

On Mon, Jul 10, 2017 at 10:59 AM, Laurent Bigonville<bigon@debian.org>  wrote:

Hi,

With 4.11.6 (that has been uploaded in debian unstable) I get a lot of
messages in dmesg like

[100052.120468] audit: audit_lost=66041 audit_rate_limit=0
audit_backlog_limit=8192
[100052.120470] audit: kauditd hold queue overflow

And it also seems that the messages are not stored in auditd logs anymore.

https://git.kernel.org/linus/264d509637d95f9404e52ced5003ad352e0f6a26  seems
to be included in this release

An idea?

I'm going to assume that your backlog limit is set to a sane value for
your system's configuration, so that leaves me with two commits that
may be of interest:

* 1df30f8264b8 ("audit: fix the RCU locking for the auditd_connection
structure")

This was a manual backport of a v4.12 patch to v4.11, looking now, I
see it should be in +v4.11.5 so that probably isn't your problem ...

* c81be52a3ac0 ("audit: fix a race condition with the auditd tracking code")

This patch is relatively new and was just sent up to Linus during the
next merge window; it's a race condition fix so reproducing it can be
tricky, although it may be easily reproducible on your system at the
moment (luck you!).  If you aren't in a position to apply the patch,
the workaround is rather simple: restart auditd.

If none of the above works, let me know, but I strongly suspect you're
tripping over the race condition fixed in that last patch.

I still should test the last patch he mentioned

Did you manage to test the last patch he mentioned? And does it
resolve the issue?

I didn't had the time to recompile the kernel with that patch included.

I can just confirm that it still happening with the kernel currently inexperimental (4.12.2-1~exp1)

Reply to:

References:
- Bug#867486: Issue with the audit subsystem
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#864714: task crm_node:13269 blocked for more than 120 seconds.
Next by Date: Bug#864642: vmxnet3: Reports suspect GRO implementation on vSphere hosts / one VM crashes
Previous by thread: Bug#867486: Issue with the audit subsystem
Next by thread: Processed: found 868902 in 4.9.30-1, fixed 868902 in 4.11.6-1
Index(es):
- Date
- Thread