3:33 p.m.
These are the files for the stress test, cleaned up to remove LTP
dependencies.
(See attached file: test.conf)(See attached file: test1.c)(See attached
file: test2.c)(See attached file: test3.c)(See attached file: test3.sh)
4:26 p.m.
>> I'm curious because on my system, I can lose audit
records without much load
>> at all, but I'm running the default auditd.conf.
What version are you using and what is your priority_boost setting?
I'm using the 0.7.3-1 user-space tools and the .28 kernel. I'm using
the default auditd.conf file, which has priority_boost = 3.
I was doing something a bit unusual. I was running some manual tests
with audit rules that audit all syscalls with my uid and it was working
fine until I forgot to turn it off before locking my X session. At
that point, the screen saver did stuff like close every possible
file descriptor, as far as I can tell from the log, so between locking
the session and restarting it, I lost hundreds of records.
I can usually, but not always, reproduce record loss with a program
similar to one of Kris' tests, but with fewer than 200 iterations.
I haven't tried fooling with the auditd.conf parameters yet, so I
was curious about the stress.conf file.
-- ljk
4:34 p.m.
* Linda Knippers (linda.knippers(a)hp.com) wrote:
I can usually, but not always, reproduce record loss with a program
similar to one of Kris' tests, but with fewer than 200 iterations.
I haven't tried fooling with the auditd.conf parameters yet, so I
was curious about the stress.conf file.
I always get drops with the following simple setup (default auditd.conf):
$ sudo auditctl -a entry,always -S open -F uid=23
$ sudo -u '#23' bash
$ while :; do < /dev/null; done
It's pathological, but always overloads the system which is useful for
testing.
thanks,
-chris
10:09 a.m.
On Thursday 05 May 2005 17:34, Chris Wright wrote:
I always get drops with the following simple setup (default
auditd.conf):
<snip>
It's pathological, but always overloads the system which is
useful for
testing.
FWIW, I ran this for hours and had no lost messages. I tested with a backlog
of 1024 & priority_boost of 3.
-Steve
10:52 a.m.
* Steve Grubb (sgrubb(a)redhat.com) wrote:
On Thursday 05 May 2005 17:34, Chris Wright wrote:
> I always get drops with the following simple setup (default auditd.conf):
<snip>
> It's pathological, but always overloads the system which is useful for
> testing.
FWIW, I ran this for hours and had no lost messages. I tested with a backlog
of 1024 & priority_boost of 3.
Good to know. I've always left the backlog at 64 (but then again, I was
usually trying to trigger the overflow).
thanks,
-chris
11:22 a.m.
auditctl -b 1024
linux-audit-bounces(a)redhat.com wrote on 05/06/2005 11:06:54 AM:
> > FWIW, I ran this for hours and had no lost messages. I
tested
with a backlog
> > of 1024 & priority_boost of 3.
>
How do you set backlog? Is the default 64? For the evaluation
should our configuration script change it to 1024? Thanks!
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
11:39 a.m.
On Friday 06 May 2005 12:06, Kris Wilson wrote:
How do you set backlog?
-b 1024 in /etc/audit.rules
Is the default 64?
Yes.
For the evaluation should our configuration script change it to
>1024?
That depends. If you are testing what actions occur when messages are dropped,
you want to set it lower. For normal operation, you will want to set it
higher.
I was thinking that we need some kind of load test to tune the number with.
The combination of priority & backlog will need to be set depending on:
expected load, audit rules, the speed of the CPU, and the slowness of the
disk.
During normal operations, events pile up. When the audit daemon gets its time
slice, it drains the queue quickly. Then events pile up again. Lengthening
the queue lets you run the system through bursts of activity without losing a
record. The fundamental question is how long should I make the queue?
The answer I think is based on how often the audit daemon runs and how many
events can pile up in the interim. The audit daemon must get enough time
slices that the queue is sitting at 0 nearly anytime you check. If the
backlog value starts creeping up, the audit daemon is losing the race and
needs more priority.
I almost think this needs a utility to help tune it. If a system has a fast
CPU, it could generate more events than a slower CPU. If the disk is slow, we
can't dispatch events as fast and that needs to be accounted for.
-Steve
4:42 p.m.
On Thursday 05 May 2005 17:26, Linda Knippers wrote:
I'm using the 0.7.3-1 user-space tools and the .28 kernel.
I'm using
the default auditd.conf file, which has priority_boost = 3.
OK. I put -b 1024 in the /etc/audit.rules file. 64 backlog slots is the norm -
this doesn't give you any headroom for stressful times.
-Steve
4:57 p.m.
linux-audit-bounces(a)redhat.com wrote on 05/05/2005 04:06:56 PM:
What does your stress.conf file look like? I'm curious because
on
my system, I can lose audit records without much load at all, but
I'm running the default auditd.conf.
-- ljk
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = DATA
freq = 0
num_logs = 3
max_log_file = 4
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
7169
days inactive
7170
days old
linux-audit@lists.linux-audit.osci.io
11 comments
5 participants
participants (5)
-
Chris Wright -
Debora Velarde -
Kris Wilson -
Linda Knippers -
Steve Grubb