BUG: lost events during boot

linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository

https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git

Other

140 stars 37 forks source link

BUG: lost events during boot #38

Closed stevegrubb closed 6 years ago

stevegrubb commented 7 years ago

When booting with audit_backlog_limit=8192, as soon as I log in I run "auditctl -s" I can see I've lost 73 events. Then I run "aureport --start boot" and I see 644 total events. This is nowhere near the 8192 limit that I asked for. Meaning that events should not be lost when the total is far less than the limit where it would have overflowed the queue. There is also no message in syslog saying that events were lost and a reason.

This was noticed on a 4.9.x kernel.

stevegrubb commented 7 years ago

# uname -r
4.9.13-101.fc24.x86_64

pcmoore commented 7 years ago

Mailing list discussion: https://www.redhat.com/archives/linux-audit/2017-March/msg00100.html

pcmoore commented 7 years ago

Upstream RFC patch: https://www.redhat.com/archives/linux-audit/2017-March/msg00114.html

pcmoore commented 7 years ago

@stevegrubb do you still see this on v4.11 kernels?

pcmoore commented 7 years ago

For the record, I believe this was fixed in 5b52330bbfe63b3305765354d6046c9f7f89c011.

pcmoore commented 6 years ago

I'm going to close this now, if anyone notices that this is still a problem feel free to re-open or create a new issue.

stevegrubb commented 6 years ago

I'm not seeing lost events on 4.14.