[Thinlinc-technical] audit issue
vlad f halilov
vfh at swemel.ru
Tue Aug 5 16:49:42 CEST 2014
This did not call any visible problem without audit (just some higher
cpu usage and context switching, but user/admin can't see that without
load profiling). Problem appeared with auditd enabled, because this
activity produce many records in audit journal, that lead to free disk
space consumption. For example. system with two idle users generate
about ~1000 audit events/second like above (Every access to proc, cause
3 audit event in journal), that about 240K/sec free space out.
Below an strace block for Xvnc process, may be it help? There are two
'open' syscall to proc, after getsockopt.
...
select(256, [0 1 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 26 27 28 29 30 31 32 34 36 37], [30],
NULL, {39, 991000}) = 2 (in [0 36], left {39, 990992})
setitimer(ITIMER_REAL, {it_interval={0, 20000}, it_value={0, 20000}},
NULL) = 0
read(36, "\210\0\2\0\1\0\0\0", 4096) = 8
read(36, 0x16908e0, 4096) = -1 EAGAIN (Resource
temporarily unavailable)
writev(36,
[{"\1\1\6\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",
32}], 1) = 32
setitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
accept(0, {sa_family=AF_FILE, NULL}, [2]) = 33
fcntl(33, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(33, F_SETFL, O_RDWR|O_NONBLOCK) = 0
getsockopt(33, SOL_SOCKET, SO_PEERCRED, "g\n\0\0\364\1\0\0\364\1\0\0",
[12]) = 0
open("/proc/2663/cmdline", O_RDONLY) = 35
read(35, "metacity\0", 4097) = 9
close(35) = 0
select(256, [0 1 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 26 27 28 29 30 31 32 33 34 36 37], [30], NULL, {39, 981000}) = 4
(in [0 23 33 36], left {39, 980992})
setitimer(ITIMER_REAL, {it_interval={0, 20000}, it_value={0, 20000}},
NULL) = 0
read(23, "(\0\4\0|\315U\2\354\0\0\0\0\0\31\0", 4096) = 16
read(23, 0x1efeae0, 4096) = -1 EAGAIN (Resource
temporarily unavailable)
writev(23,
[{"\1\1\206\5\0\0\0\0\306\345\r\1\362\0Y\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0",
32}], 1) = 32
setitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
accept(0, {sa_family=AF_FILE, NULL}, [2]) = 35
fcntl(35, F_GETFL) = 0x2 (flags O_RDWR)
fcntl(35, F_SETFL, O_RDWR|O_NONBLOCK) = 0
getsockopt(35, SOL_SOCKET, SO_PEERCRED, "\371F\0\0\364\1\0\0\364\1\0\0",
[12]) = 0
open("/proc/18169/cmdline", O_RDONLY) = 38
read(38, "/usr/bin/gpk-update-icon\0", 4097) = 25
close(38) = 0
select(256, [0 1 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 26 27 28 29 30 31 32 33 34 35 36 37], [30], NULL, {39, 966000}) =
4 (in [23 33 35 36], left {39, 965987})
...
> I have no experience in kernel auditing and my collegues who probably
> do are away on vacation at the moment.
> But as far as I can see, this is not an issue we have seen before. I do
> not know what can be causing it. Does these cmdline calls cause high
> load or any other problems?
>
> Regards,
--
vlad f halilov
swemel
More information about the Thinlinc-technical
mailing list