https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229380
Bug ID: 229380
Summary: auditd(8) doesn't reap children until startup is
complete
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
On startup, auditd(8) expires any audit trails that satisfy the criteria for
expiration. It logs each expiration not using syslog(3), but by executing the
script /etc/security/audit_warn. However, it does not attempt to reap any of
its children until it enters the main loop. This is a problem if there are
thousands of audit trail files, as it can quickly hit kern.maxproc. That can
easily lock up the system if the admin cannot kill auditd. I've seen it happen
3 times (I have a lot of audit trail files because I'm working on the audit(4)
test suite).
A simple solution would be to use system(3) instead of fork(2)/execve(2) to
execute /etc/security/audit_warn. However, this would cause a slight delay,
which could conceivably result in audit records being dropped, especially if
/etc/security/audit_warn does something slow, like pipe over the network. A
subtler solution would be to call auditd_reap_children in the loop in
auditd_expire_trails, if sigchlds gets too high. Or, have a "startup mode",
which uses system(3) to fix the kern.maxproc problem, but fork/execve for lower
latency after startup is complete.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
