Add a /proc/audit entry for debugging to instrument many audit subsystem
internal parameters not normally visible.
Signed-off-by: Richard Guy Briggs
---
include/linux/skbuff.h | 16
kernel/audit.c | 48
2 files changed
On Wed, Oct 21, 2015 at 8:35 PM, Scott Matheina wrote:
> Thanks for the feedback. I'll resubmit. Now I get to figure out how to
> resubmit a patch with changes, so a good
> learning experience for me. Pure Hobbyist at this time, but I love to learn.
If you haven't already, go read Documentation/
On Thu, Oct 22, 2015 at 11:53 AM, Smith, Gary R wrote:
> Hello All,
>
> I was at the BSides Portland security conference last weekend and I gave a
> presentation called “The Linux Audit Framework” there. I have put up the
> slides from the presentation on slideshare. I have also put up a file that
On 15/10/22, Steve Grubb wrote:
> On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote:
> > Debug the possibility of systemd changing the audit config causing
> > shutdown delays by blocking all such requests.
>
> I don't understand what you are saying here. As long as something some
Debug to list each process, its first call time and how many times it is
called while waiting for auditd upon queue overflow. It is reported and
cleared when the queue is drained sufficiently to clear the condition.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 32 +++
Convert /proc/audit debug output from label-value per line to one title
line with one output line.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 75 ++--
1 files changed, 51 insertions(+), 24 deletions(-)
diff --git a/kernel/audit.c
This set of patches cleans up a number of corner cases in the management
of the audit queue.
Richard Guy Briggs (7):
audit: don't needlessly reset valid wait time
audit: include auditd's threads in audit_log_start() wait exception
audit: allow systemd to use queue reserves
audit: wake up t
On 15/10/22, Steve Grubb wrote:
> On Thursday, October 22, 2015 02:53:16 PM Richard Guy Briggs wrote:
> > Treat systemd the same way as auditd, allowing it to overrun the queue to
> > avoid blocking.
>
> Do you mind explaining this a little more? I'm having a hard time
> understanding how systemd
On 15/10/22, Steve Grubb wrote:
> What is the permissions on this? Who can view it?
proc_create() was called with mode 0, so I'm guessing it is 777.
Actually, it is 444. That should be changed to 400 (S_IRUSR) for use on
a system that matters, but again, this is a debug patch set giving
internal
On Thursday, October 22, 2015 02:53:16 PM Richard Guy Briggs wrote:
> Treat systemd the same way as auditd, allowing it to overrun the queue to
> avoid blocking.
Do you mind explaining this a little more? I'm having a hard time
understanding how systemd is involved.
-Steve
> Signed-off-by: Rich
What is the permissions on this? Who can view it?
-Steve
On Thursday, October 22, 2015 02:58:49 PM Richard Guy Briggs wrote:
> Add a /proc/audit entry for debugging to instrument many audit subsystem
> internal parameters not normally visible.
>
> Signed-off-by: Richard Guy Briggs
> ---
> incl
On Thursday, October 22, 2015 02:58:52 PM Richard Guy Briggs wrote:
> Debug the possibility of systemd changing the audit config causing
> shutdown delays by blocking all such requests.
I don't understand what you are saying here. As long as something something
has CAP_AUDIT_CONTROL, it can make
A number of diagnostic patches including a /proc/audit* interface to get
a better view of what is happenning with what frequency in the audit
queue code.
Richard Guy Briggs (13):
audit_debug: set reserve to same size as backlog
audit_debug: squawk when digging into reserve
audit_debug: proc
Debug to list inode number and path for each audit watch when audit
watch rules are listed.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.h |2 ++
kernel/audit_fsnotify.c |5 +
kernel/auditfilter.c|1 +
3 files changed, 8 insertions(+), 0 deletions(-)
diff --gi
Debug the possibility of systemd changing the audit config causing
shutdown delays by blocking all such requests.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 14 --
1 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 30b3b
Format debugging output in /proc/audit to seperate titles and data output to one
line each in /proc/audit and /proc/audit_titles.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 20 ++--
1 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/ker
Add counters to /proc/audit to instrument the wait_for_auditd condition.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 24
1 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 82df9fd..ffdec0c 100644
--- a/kerne
Debug the timing and stalling of calls to audit_receive() for
processes we care about.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 16
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 9e9c02b..76b6878 100644
--- a
Debug the expected impossibility of the audit_backlog_queue reserve
being used up.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 12
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index d6f4763..9e9c02b 100644
--- a/kernel/
Debug the unlikely possibility that the audit_backlog_limit reserve is
being overflowed too. Make the reserve proportional to the backlog
limit.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kern
Debug contention for the audit_cmd_mutex including timing, stalling
and identies of holder and requestor.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c | 18 +-
1 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 93a466b.
Debug the timing and stalling of calls to netlink_sendmsg() for
processes we care about with any error return values.
Signed-off-by: Richard Guy Briggs
---
net/netlink/af_netlink.c | 16
1 files changed, 16 insertions(+), 0 deletions(-)
diff --git a/net/netlink/af_netlink.c b
Debug when audit_backlog_limit reserves are used for bypassing the queue
limits by listing timing, process and queue length.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |8
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index
Treat systemd the same way as auditd, allowing it to overrun the queue to avoid
blocking.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 3917aad..384a1a1 100644
--- a/kernel/audi
If we hold the audit_cmd_mutex, we should never sleep waiting for auditd
to drain the queue since auditd may need the mutex to shut down.
This was first implemented with mutex_trylock(), but since
audit_log_start() can be called in softirq context, that won't work.
Next, owner_running() was used t
Should auditd spawn threads, allow all members of its thread group to
use the audit_backlog_limit reserves to bypass the queue limits too.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.
After auditd has recovered from an overflowed queue, the first process
that doesn't use reserves to make it through the queue checks should
reset the audit backlog wait time to the configured value. After that,
there is no need to keep resetting it.
Signed-off-by: Richard Guy Briggs
---
kernel/
When auditd is restarted, even though the kauditd_thread is present, it
remains dormant until the next audit log message is queued.
Wake up the kauditd_thread in the kauditd_wait queue immediately when
auditd registers its availability to drain the queue.
Signed-off-by: Richard Guy Briggs
---
k
When auditd goes away (died, killed or shutdown, or net namespace shut
down), there is no point in sleeping waiting for auditd to drain the
queue since that message would be distined for the hold queue after the
timeout anyways. This will needlessly have those processes wait the
full default timeo
If the audit_backlog_limit is changed from a limited value to an
unlimited value (zero) while the queue was overflowed, wake up the
audit_backlog_wait queue to allow those processes to continue.
Signed-off-by: Richard Guy Briggs
---
kernel/audit.c |3 ++-
1 files changed, 2 insertions(+), 1
Hello All,
I was at the BSides Portland security conference last weekend and I gave a
presentation called “The Linux Audit Framework” there. I have put up the slides
from the presentation on slideshare. I have also put up a file that implements
the Center for Internet Security RHEL 6 Benchmark
On 15/10/21, Scott Matheina wrote:
> On 10/21/2015 09:15 PM, Richard Guy Briggs wrote:
> > On 15/10/21, Scott Matheina wrote:
> >> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> >>> On 15/10/21, Joe Perches wrote:
> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> > On 1
On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
> On 15/10/21, Joe Perches wrote:
>> On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
>>> On 15/10/18, Scott Matheina wrote:
On 10/14/2015 04:54 PM, Paul Moore wrote:
> On Saturday, October 10, 2015 08:57:55 PM Scott Matheina
On 10/21/2015 09:15 PM, Richard Guy Briggs wrote:
> On 15/10/21, Scott Matheina wrote:
>> On 10/21/2015 10:33 AM, Richard Guy Briggs wrote:
>>> On 15/10/21, Joe Perches wrote:
On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> On 15/10/18, Scott Matheina wrote:
>> On 10/1
On 10/21/2015 01:23 PM, Paul Moore wrote:
> On Sunday, October 18, 2015 12:50:45 PM Scott Matheina wrote:
>> On 10/14/2015 04:54 PM, Paul Moore wrote:
>>> On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
Signed-off-by: Scott Matheina
---
kernel/auditfilter.c |
On Mon, 2015-10-19 at 12:10 -0400, Richard Guy Briggs wrote:
> On 15/10/18, Scott Matheina wrote:
> > On 10/14/2015 04:54 PM, Paul Moore wrote:
> > > On Saturday, October 10, 2015 08:57:55 PM Scott Matheina wrote:
[]
> > >> diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
[]
> > >> @@ -109,
36 matches
Mail list logo
