On Wed, Feb 23, 2022 at 4:41 AM Gaosheng Cui <[email protected]> wrote: > > When an admin enables audit at early boot via the "audit=1" kernel > command line, netlink send errors seen will cause the audit subsystem > to drop some records or return records to the queue. And all records > will be printed via printk() in the kauditd_hold_skb(), but actually > only the records that will be dropped need to be printed via printk(). > > Signed-off-by: Gaosheng Cui <[email protected]> > --- > kernel/audit.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-)
When records are moved to the hold queue the system is in a bad state so printing the record via printk() regardless of if the record is able to be successfully queued or dropped is important. If this is happening frequently on your system, this is likely a sign your system is misconfigured. -- paul-moore.com -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
