[GIT PULL] Audit patches for 4.6
by Paul Moore
Hi Linus,
A small set of patches for audit this time; just three in total and one is a
spelling fix. The two patches with actual content are designed to help
prevent new instances of auditd from displacing an existing, functioning
auditd and to generate a log of the attempt. Not to worry, dead/stuck auditd
instances can still be replaced by a new instance without problem.
Nothing controversial, and everything passes our regression suite; please pull
for Linux 4.6.
Thanks,
-Paul
---
The following changes since commit cb74ed278f8054fddf79ed930495b9e214f7c7b2:
audit: always enable syscall auditing when supported and audit is enabled
(2016-01-13 09:18:55 -0500)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit stable-4.6
for you to fetch changes up to fd97646b05957348e01be3d9de5c3d979b25c819:
audit: Fix typo in comment (2016-02-08 11:25:39 -0500)
----------------------------------------------------------------
Richard Guy Briggs (2):
audit: stop an old auditd being starved out by a new auditd
audit: log failed attempts to change audit_pid configuration
Wei Yuan (1):
audit: Fix typo in comment
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 20 +++++++++++++++++++-
kernel/audit_watch.c | 2 +-
kernel/auditfilter.c | 6 +++---
4 files changed, 24 insertions(+), 5 deletions(-)
--
paul moore
security @ redhat
8 years, 7 months
auditd and redhat cluster
by Maupertuis Philippe
Hi list,
One clusters fenced the passive node around two hours after auditd was started.
We have found that iowait has increased since auditd was started and was unusually high.
Auditd wasn't generating many messages and there were no noticeable added activity on the disk were the audit and syslog files were written.
Besides watches, the only general rules were :
# creation
-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -S mkdirat -S mknodat -S linkat -S symlinkat -F uid=root -F success=1 -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -S mkdirat -S mknodat -S linkat -S symlinkat -F uid=root -F success=1 -k creation
# deletion
-a exit,always -F arch=b32 -S rmdir -S unlink -S unlinkat -F uid=root -F success=1 -k deletion
-a exit,always -F arch=b64 -S rmdir -S unlink -S unlinkat -F uid=root -F success=1 -k deletion
After the rebot we deleted all rules and didn't notice extra iowait anymore.
Could these rules be the cause of additional iowait even if not generating many events (around 20 in two hours) ?
Is there any other auditd mechanism that could explain this phenomenon ?
I would appreciate any hints.
Regards
Philippe
!!!*************************************************************************************
"Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? de Worldline ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.!!!"
8 years, 7 months