search

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
137 stars 36 forks source link

auditd memory leak #130

Closed Nick-0314 closed 3 years ago

Nick-0314 commented 3 years ago

image My environment: CPU: Kunpeng 910 arch: aarch64 system: Kylin Linux Advanced Server release V10 (Tercel) kernel: 4.19.90-23.6.v2101.ky10.aarch64

auditd version: audit-libs-3.0-5.se.06.ky10.aarch64 audit-3.0-5.se.06.ky10.aarch64 python3-audit-3.0-5.se.06.ky10.aarch64

Auditd uses an increasing amount of memory

dmesg: [2358791.243830] audit: type=1305 audit(1624265846.064:245837): audit_pid=0 old=1143857 auid=4294967295 ses=4294967295 res=1 [2358791.256815] audit: type=1131 audit(1624265846.074:245838): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [2358791.328435] audit: type=1305 audit(1624265846.154:245839): audit_enabled=1 old=1 auid=4294967295 ses=4294967295 res=1 [2358791.333944] audit: type=1305 audit(1624265846.154:245840): audit_pid=1275570 old=0 auid=4294967295 ses=4294967295 res=1

audit log: type=NETFILTER_CFG msg=audit(1624410740.017:257002): table=filter family=2 entries=1821 type=SYSCALL msg=audit(1624410740.017:257002): arch=c00000b7 syscall=208 success=yes exit=0 a0=4 a1=0 a2=40 a3=fffd30290010 items=0 ppid=108096 pid=3965028 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor" exe="/usr/sbin/xtables-legacy-multi" key=(null) type=PROCTITLE msg=audit(1624410740.017:257002): proctitle=69707461626C65732D726573746F7265002D770035002D2D6E6F666C757368002D2D636F756E74657273 type=NETFILTER_CFG msg=audit(1624410740.037:257003): table=nat family=2 entries=1575 type=SYSCALL msg=audit(1624410740.037:257003): arch=c00000b7 syscall=208 success=yes exit=0 a0=4 a1=0 a2=40 a3=aaadea0c1700 items=0 ppid=108096 pid=3965028 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables-restor" exe="/usr/sbin/xtables-legacy-multi" key=(null) type=PROCTITLE msg=audit(1624410740.037:257003): proctitle=69707461626C65732D726573746F7265002D770035002D2D6E6F666C757368002D2D636F756E74657273

rgbriggs commented 3 years ago

On 2021-06-22 18:12, mytting wrote:

image Auditd uses an increasing amount of memory

Maybe I'm missing something, but what makes you say that?

Would this be userspace, or kernel that is leaking? If it is auditd, then this issue should be closed and it should be filed against https://github.com/linux-audit/audit-userspace