答复: [PATCH][RFC] audit: set wait time to zero when audit failed

-----邮件原件----- 发件人: Paul Moore [mailto:paul@paul-moore.com] 发送时间: 2019年9月18日 20:23 收件人: Li,Rongqing <lirongqing(a)baidu.com&gt; 抄送: Eric Paris <eparis(a)redhat.com>; linux-audit(a)redhat.com 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed On Tue, Sep 17, 2019 at 9:07 PM Li,Rongqing <lirongqing(a)baidu.com&gt; wrote: > > -----邮件原件----- > > 发件人: Paul Moore [mailto:paul@paul-moore.com] > > 发送时间: 2019年9月18日 3:17 > > 收件人: Li,Rongqing <lirongqing(a)baidu.com&gt; > > 抄送: Eric Paris <eparis(a)redhat.com>; linux-audit(a)redhat.com > > 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit failed > > > > On Mon, Sep 16, 2019 at 9:08 PM Li,Rongqing <lirongqing(a)baidu.com&gt; wrote: > > > > -----邮件原件----- > > > > 发件人: Paul Moore [mailto:paul@paul-moore.com] > > > > 发送时间: 2019年9月17日 6:52 > > > > 收件人: Li,Rongqing <lirongqing(a)baidu.com&gt; > > > > 抄送: Eric Paris <eparis(a)redhat.com>; linux-audit(a)redhat.com > > > > 主题: Re: [PATCH][RFC] audit: set wait time to zero when audit > > > > failed ... > > > I just want to it as before 3197542482df ("audit: rework > > > audit_log_start()"), wait 60 seconds once if > > > auditd/readaheaad-collector have some problem to drain the audit backlog. > > > > The patch you mention fixed what was deemed to be buggy behavior; as > > mentioned previously in this thread I see no good reason to go back > > to the old behavior. > > > > > > If you are not using audit, you can always disable it via the > > > > kernel command line, or at runtime (look at what Fedora does). > > > > > > > > > > You might also want to investigate what is generating some > > > > > > many audit records prior to starting the audit daemon. > > > > > > > > > > It is /sbin/readahead-collector, in fact, we stop the auditd; > > > > > We are doing a > > > > reboot test, which rebooting machine continue to test hardware/software. > > > > > > > > > > it is same as below: > > > > > auditctl -a always,exit -S all -F pid='xxx' > > > > > kill -s 19 `pidof auditd` > > > > > > > > > > then the audited task will be hung > > > > > > > > So you are seeing this problem only when you run a test, or did > > > > you provide this as a reproducer? > > > > > > auditctl -a always,exit -S all -F ppid=`pidof sshd` kill -s 19 > > > `pidof auditd` ssh root(a)127.0.0.1 > > > > > > then ssh will be hung forever > > > > That is expected behavior. You are putting a massive audit load on > > the system by telling the kernel to audit every syscall that sshd > > makes, then you are intentionally killing the audit daemon and attempting to ssh into the system. > > The proper fix(es) here would be to 1) set reasonable audit rules > > and/or 2) use an init system that monitors and restarts auditd when > > it fails (systemd has this capability, I believe some others do as well). > > Both are not working. > The auditd is not dead, it is in stop status(kill -s 19). So systemd/init will not restart it. > Even if with little audit rules, after multiple accesses, the backlog > will full due to no receiver Fair point, however I still stand by my previous comments that there are runtime configuration knobs which can mitigate this problem if it is something you are concerned about. Depending on the situation, you can either increase the backlog to deal with transient problems, or decrease the backlog wait time (possibly to zero) to prevent blocking entirely.

-- paul moore www.paul-moore.com