2:07 p.m.
Hi,
I having troubles receiving events with the dispatcher in ubuntu-9.04.
I am just trying to use the rule
-a entry, always -S execve -S exit_group
I receive all the events in the audit.log, but not in the dispatcher.
I am using the dispatcher code in the auditd website.
I also using two threads where in one thread collects all the data and
the other thread does the parsing.
So there is no blocking and the queue is an unbounded concurrent queue.
I don't think there can't anything else done at the receiving end.
If anyone has faced something similar or have suggestions, please let
me know
Thanks
Vish
2:26 p.m.
On Wednesday 31 March 2010 03:07:59 pm Vishwanath Venkatesan wrote:
I having troubles receiving events with the dispatcher in
ubuntu-9.04.
What kind of trouble? Is the process running? Does strace show it doing
anything? If it is doing something, I'd add syslog calls to debug it.
-Steve
2:32 p.m.
The process is running, I get all the events in audit.log if I use
'RAW' mode,
I am losing events when using the dispatcher mode. (ex: there are 100
events to be received, I receive just 70)
Moreover there is no delay in the dispatcher's end as I have it
multithreaded.
I am using the skeleton code to receive events in the dispatcher.
- Vish
On Mar 31, 2010, at 3:26 PM, Steve Grubb wrote:
On Wednesday 31 March 2010 03:07:59 pm Vishwanath Venkatesan wrote:
> I having troubles receiving events with the dispatcher in
> ubuntu-9.04.
What kind of trouble? Is the process running? Does strace show it
doing
anything? If it is doing something, I'd add syslog calls to debug it.
-Steve
2:48 p.m.
On Wednesday 31 March 2010 03:32:33 pm Vishwanath Venkatesan wrote:
The process is running, I get all the events in audit.log if I use
'RAW' mode,
This only affects disk logging and has no effect on dispatching.
I am losing events when using the dispatcher mode. (ex: there are 100
events to be received, I receive just 70)
Is there anything in syslog from auditd? What is your priority boost in
auditd.conf and audispd.conf?
-Steve
2:56 p.m.
On Wednesday 31 March 2010 03:48:35 pm Steve Grubb wrote:
> I am losing events when using the dispatcher mode. (ex: there
are 100
> events to be received, I receive just 70)
Is there anything in syslog from auditd? What is your priority boost in
auditd.conf and audispd.conf?
Wait, you are writing a dispatcher...are you boosting your priority above
auditd? If not, you should probably increase it by at least 4. Your dispatcher
has to stay ahead of auditd.
-Steve
7:44 a.m.
On 31/03/10 20:56, Steve Grubb wrote:
Wait, you are writing a dispatcher...are you boosting your priority
above
auditd? If not, you should probably increase it by at least 4. Your dispatcher
has to stay ahead of auditd.
On a related note, has there been any more thought about loading
dispatchers into auditd itself as dynamic libraries? This would solve
this problem, and also the issue of accidentally writing a rule which is
triggered by a dispatcher, causing a DOS.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
8 a.m.
On Wednesday 07 April 2010 08:44:08 am Matthew Booth wrote:
On 31/03/10 20:56, Steve Grubb wrote:
> Wait, you are writing a dispatcher...are you boosting your priority above
> auditd? If not, you should probably increase it by at least 4. Your
> dispatcher has to stay ahead of auditd.
On a related note, has there been any more thought about loading
dispatchers into auditd itself as dynamic libraries?
Its been in the official TODO file for about 7-8 months. There just isn't any
time for me to work on it right now or for a few more months.
This would solve this problem,
This particular problem turned out to be a bad Ubuntu kernel. Everything works
as advertised when he switched to Fedora.
and also the issue of accidentally writing a rule which is
triggered by a dispatcher, causing a DOS.
-Steve
5372
days inactive
5379
days old
linux-audit@lists.linux-audit.osci.io
6 comments
3 participants
participants (3)
-
Matthew Booth -
Steve Grubb -
Vishwanath Venkatesan