search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

Got tones of log in one second by one command #115

Closed Tu-114-s-undercarriage closed 5 years ago

Tu-114-s-undercarriage commented 5 years ago

At the first, I check the log by command cat, it seems normal. But once I use sudo aureport -x, It shows me taht tones of file access log like celow:

57675. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802722
57676. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802723
57677. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802724
57678. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802725
57679. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802726
57680. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802727
57681. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802728
57682. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802729
57683. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802730
57684. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802731
57685. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802732
57686. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802733
57687. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802734
57688. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802735
57689. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802736
57690. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802737
57691. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802738
57692. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802739
57693. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802740
57694. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802741
57695. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802742
57696. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802743
57697. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802744
57698. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802745
57699. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802746
57700. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802747
57701. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802748
57702. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802749
57703. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802750
57704. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802751
57705. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802752
57706. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802753
57707. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802754
57708. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802755
57709. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802756
57710. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802757
57711. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802758
57712. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802759
57713. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802760
57714. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802761
57715. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802762
57716. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802763
57717. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802764
57718. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802765
57719. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802766
57720. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802767
57721. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802768
57722. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802769
57723. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802770
57724. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802771
57725. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802772
57726. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802773
57727. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802774
57728. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802775
57729. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802776
57730. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802777
57731. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802778
57732. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802779
57733. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802780
57734. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802781
57735. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802782
57736. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802783
57737. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802784
57738. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802785
57739. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802786
57740. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802787

Every line have same record, and there have more than 60,000 lines, I stop it by ^C.

rgbriggs commented 5 years ago

On 2019-05-24 02:09, Tu-114-s-undercarriage wrote:

At the first, I check the log by command cat, it seems normal. But once I use sudo aureport -x, It shows me taht tones of file access log like celow:

Given that the log file (I assume you did "cat /var/log/audit/audit.log"?) seems normal, then this appears to be a userspace problem and not a kernel issue, which should be filed:

https://github.com/linux-audit/audit-userspace

57675. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802722
...
Tu-114-s-undercarriage commented 5 years ago

On 2019-05-24 02:09, Tu-114-s-undercarriage wrote: At the first, I check the log by command cat, it seems normal. But once I use sudo aureport -x, It shows me taht tones of file access log like celow: Given that the log file (I assume you did "cat /var/log/audit/audit.log"?) seems normal, then this appears to be a userspace problem and not a kernel issue, which should be filed: https://github.com/linux-audit/audit-userspace

57675. 05/24/2019 08:29:21 /sbin/aureport pts2 ? 1001 802722

The log file also fill with these log in moment. I.m using default audit setting, so the most 5 files will be persisted and 8MB for each.

Tu-114-s-undercarriage commented 5 years ago

I think the audit kernel shouldn't log it so much times.

rgbriggs commented 5 years ago

On 2019-05-29 00:05, Tu-114-s-undercarriage wrote:

I think the audit kernel shouldn't log it so much times.

As I said, from the information you have provided, it looks like a userspace issue and not kernel since the log file does not show the problem.

WOnder93 commented 5 years ago

The kernel logs what it is configured to log by the rules on your system (/etc/audit/audit.rules + /etc/audit/rules.d/*). If you think it is logging too much, you need to examine the records in the log and add exclude filter rules for the kinds of records that you don't care about.

pcmoore commented 5 years ago

I agree with @rgbriggs and @WOnder93 that this isn't a kernel bug; I'm going to close this out for now. @Tu-114-s-undercarriage if you find more information that points to a specific kernel bug and have a reproducer, please feel free to reopen this issue.