lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHC9VhQhMG0YFYUQvn=2tYab-UwVjOWxAK9h-DA9=GCvzhRAHg@mail.gmail.com>
Date:   Wed, 23 Feb 2022 17:00:15 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Gaosheng Cui <cuigaosheng1@...wei.com>
Cc:     eparis@...hat.com, linux-audit@...hat.com,
        linux-kernel@...r.kernel.org, wangweiyang2@...wei.com,
        xiujianfeng@...wei.com
Subject: Re: [PATCH -next] audit: only print records that will be dropped via printk()

On Wed, Feb 23, 2022 at 4:41 AM Gaosheng Cui <cuigaosheng1@...wei.com> wrote:
>
> When an admin enables audit at early boot via the "audit=1" kernel
> command line, netlink send errors seen will cause the audit subsystem
> to drop some records or return records to the queue. And all records
> will be printed via printk() in the kauditd_hold_skb(), but actually
> only the records that will be dropped need to be printed via printk().
>
> Signed-off-by: Gaosheng Cui <cuigaosheng1@...wei.com>
> ---
>  kernel/audit.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)

When records are moved to the hold queue the system is in a bad state
so printing the record via printk() regardless of if the record is
able to be successfully queued or dropped is important.  If this is
happening frequently on your system, this is likely a sign your system
is misconfigured.

-- 
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ