Just flushing the rules (auditctl -D) would cause my ubuntu machine running a 2.6.38 kernel to oops fairly regularly, maybe one in five times. This was especially painful when testing new rules.
On Wed, Jan 25, 2012 at 8:45 AM, Valentin Avram <[email protected]> wrote: > Hello. > > Did anybody ever experience kernel oopses and even kernel crashes (after a > while), by just restarting repeatedly the auditd daemon? > > I ask this because i had this problem on Dell R610 servers running Gentoo > Linux kernels gentoo-sources-3.0.6 and gentoo-sources-2.6.37-r4 (see this > bug: https://bugs.gentoo.org/show_bug.cgi?id=389405 ). > > The kernels are nothing special, just the vanilla 2.6.37 and 3.0.6 with a > few gentoo patches (see https://lkml.org/lkml/2011/11/28/330 ). > > The auditd version is 2.1.3 (latest). The audit.rules file contains > basically the following rules: > > -D > -w /etc -p wa -k etc-directory > [snip: same for /sbin, /bin, /usr/sbin, /usr/bin] > -a exit,never -F dir=/lib/rc -k skip-lib-rc > -w /lib -p wa -k lib-directory > -w /usr/lib -p wa -k usr-lib-directory > -a exit,never -F arch=b32 -S read [snip: -S for write,open,fstat,mmap etc.] > -k excluded-syscalls > -b 8192 > > The bug seems to be somewhere in the fsnotify kernel part, however Gentoo > kernel devs and ppl on lkml did not seem too interested, so.. did anybody > notice a similar behaviour? Or better yet, is anybody willing to run on one > of your servers this simple test: start the minimum server services, use a > similar audit.rules configuration, then start auditd and run in a shell the > following one-liner: > > while :; do /etc/init.d/auditd stop ; sleep 5 ; /etc/init.d/auditd start ; > sleep 5 ; done > > This was enough to oops and crash the kernel in less than one hour on the > servers where i did the tests. If any similar behavior happens, i'd be very > interested to know the the kernel version and distro. > > Thank you for your time. > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
