View Issue Details

IDProjectCategoryView StatusLast Update
0008342CentOS-7auditpublic2015-03-26 21:12
Reporternickwh 
PriorityhighSeveritycrashReproducibilityalways
Status newResolutionopen 
PlatformConRoeXFireOS3.10.0OS Version123.20.1.el7
Product Version7.0-1406 
Target VersionFixed in Version 
Summary0008342: Panic in audit when booting
DescriptionRunning kernel 3.10.0-123.20.1.el7.x86_64, system panic or hang during boot process with:-
audit: audit_lost=1 audit_rate_limit=100 audit_backlog_limit=320
Kernel panic - not syncing: audit: rate limit exceeded

Call Trace:
[ffffffff815e2b0c>] dump_stack+0x19/0x1b
[ffffffff815dbfca>] panic+0xd8/0x1e7
[ffffffff810df674>] audit_panic+0x64/0x70
[ffffffff810df6bf>] audit_log_lost+0x3f/0xd0
[ffffffff810dfb2b>] audit_log_end+0x10b/0x110
[ffffffff810e4811>] audit_log_exit+0x211/0xb90
[ffffffff815ea17b>] ? _raw_spin_unlock_bh+0x1b/0x40
[ffffffff814bc708>] ? release_sock+0x118/0x170
[ffffffff8158f987>] ? ipv6_setsockopt+0xa7/0xd0
[ffffffff810e70fd>] __audit_syscall_exit+0x23d/0x2a0
[ffffffff815f3340>] sysret_audit+0x17/0x21
Steps To Reproduce1. Ensure auditd is enabled and running in multi-user mode:-
systemctl status auditd
systemctl enable auditd - enable if required
2. Add "-f 2" to /etc/audit/rules.d/audit.rules to panic on failure
Add "-r 100" to /etc/audit/rules.d/audit.rules to generate at most 100 audit messages per second as suggested in man pages. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls_in_the_audit.rules_file.html
3. Reboot
4. System will either panic but occasionally will hang. Another way to see the panic is to boot into single user mode and then "systemctl default" to go multi-user.
Additional InformationInstalled my system in graphics mode and then set the default to be multi-user using systemctl. SElinux is enabled.

Raising the rate limit from 100 to 1000, alleviates the problem.

System should not really panic but give guidance as to how many audit messages per second are coming in and suggesting a value as it might need raising even further.

A man page change could also help.
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2015-03-26 21:12 nickwh New Issue