4:33 p.m.
Chris forwarded a patch for a netlink bug which could possibly be
causing the hang on 64-bit machines.
* Fri Jun 24 2005 David Woodhouse <dwmw2(a)redhat.com> audit.71
- Reduce loglevel of audit messages to KERN_NOTICE
- Netlink hashing fix forwarded by Chris
--
dwmw2
6:15 a.m.
On Sunday 26 June 2005 17:33, David Woodhouse wrote:
- Reduce loglevel of audit messages to KERN_NOTICE
The SE Linux guys say this would hurt their troubleshooting ability. On
shutdown, there are some AVC denial messages that they can get only by using
a serial console. We either need a configurable setting that auditctl can
adjust, or change the priority of only the user space messages.
-Steve
6:27 a.m.
On Mon, 2005-06-27 at 07:15 -0400, Steve Grubb wrote:
The SE Linux guys say this would hurt their troubleshooting ability.
On
shutdown, there are some AVC denial messages that they can get only by using
a serial console. We either need a configurable setting that auditctl can
adjust, or change the priority of only the user space messages.
It's already configurable.
dmesg -n 5
--
dwmw2
8:28 a.m.
On Mon, 2005-06-27 at 12:27 +0100, David Woodhouse wrote:
On Mon, 2005-06-27 at 07:15 -0400, Steve Grubb wrote:
> The SE Linux guys say this would hurt their troubleshooting ability. On
> shutdown, there are some AVC denial messages that they can get only by using
> a serial console. We either need a configurable setting that auditctl can
> adjust, or change the priority of only the user space messages.
It's already configurable.
dmesg -n 5
We want to be able to set the log level via kernel boot parameter, so
that we can see denials that occur during initialization. The avc used
to support setting the log level that it used in this manner, prior to
migrating to using the audit framework.
--
Stephen Smalley
National Security Agency
8:35 a.m.
On Mon, 2005-06-27 at 09:28 -0400, Stephen Smalley wrote:
We want to be able to set the log level via kernel boot parameter,
so
that we can see denials that occur during initialization. The avc used
to support setting the log level that it used in this manner, prior to
migrating to using the audit framework.
The kernel prints KERN_NOTICE messages during initialisation unless you
pass 'quiet' on the command line.
--
dwmw2
10:35 a.m.
On Monday 27 June 2005 09:35, David Woodhouse wrote:
The kernel prints KERN_NOTICE messages during initialisation unless
you
pass 'quiet' on the command line.
I was thinking about something more along these lines:
diff -ur linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c
--- linux-2.6.9.orig/kernel/audit.c 2005-06-27 09:55:55.000000000 -0400
+++ linux-2.6.9/kernel/audit.c 2005-06-27 09:54:00.000000000 -0400
@@ -928,14 +928,21 @@
if (!audit_rate_check()) {
audit_log_lost("rate limit exceeded");
} else {
+ struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
if (audit_pid) {
- struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
nlh->nlmsg_len = ab->skb->len - NLMSG_SPACE(0);
skb_queue_tail(&audit_skb_queue, ab->skb);
ab->skb = NULL;
wake_up_interruptible(&kauditd_wait);
} else {
- printk(KERN_NOTICE "%s\n", ab->skb->data +
NLMSG_SPACE(0));
+ if ((nlh->nlmsg_type >= AUDIT_FIRST_USER_MSG &&
+ nlh->nlmsg_type <= AUDIT_LAST_USER_MSG &&
+ nlh->nlmsg_type != AUDIT_USER_AVC) ||
+ nlh->nlmsg_type == AUDIT_LOGIN ||
+ nlh->nlmsg_type == AUDIT_USER)
+ printk(KERN_NOTICE "%s\n", ab->skb->data +
NLMSG_SPACE(0));
+ else
+ printk(KERN_ERR "%s\n", ab->skb->data +
NLMSG_SPACE(0));
}
}
audit_buffer_free(ab);
6:28 a.m.
On Sun, 2005-06-26 at 22:33 +0100, David Woodhouse wrote:
Chris forwarded a patch for a netlink bug which could possibly be
causing the hang on 64-bit machines.
I managed to reproduce the problem on PPC64 with audit.70, but not with
audit.71. The final version of the patch which went upstream was
slightly different, so I'll build a new RPM with that version.
--
dwmw2
10:36 a.m.
David Woodhouse wrote: [Mon Jun 27 2005, 07:28:22AM EDT]
On Sun, 2005-06-26 at 22:33 +0100, David Woodhouse wrote:
> Chris forwarded a patch for a netlink bug which could possibly be
> causing the hang on 64-bit machines.
I managed to reproduce the problem on PPC64 with audit.70, but not with
audit.71. The final version of the patch which went upstream was
slightly different, so I'll build a new RPM with that version.
I haven't been able to reproduce the hang on ia64 or x86_64 with
audit.71.
Amy
2:05 p.m.
On Mon, 2005-06-27 at 12:28 +0100, David Woodhouse wrote:
I managed to reproduce the problem on PPC64 with audit.70, but not
with audit.71. The final version of the patch which went upstream was
slightly different, so I'll build a new RPM with that version.
... and with S390 support re-enabled. Sorry, I disabled it at the last
minute because I noticed a queue of packages waiting for the errant S390
machines in the build system again, but forgot to note it in the
changelog when I did so.
--
dwmw2
7117
days inactive
7118
days old
linux-audit@lists.linux-audit.osci.io
9 comments
4 participants
participants (4)
-
Amy Griffis -
David Woodhouse -
Stephen Smalley -
Steve Grubb