-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
rhel-9.1.0
-
None
-
Medium
-
1
-
sst_kernel_security
-
ssg_core_kernel
-
3
-
False
-
-
None
-
CK-May-2024
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
Sometimes, auditd: Error receiving audit netlink packet (No buffer space available) is reported in journal.
Version-Release number of selected component (if applicable):
kernel-5.14.0-162.6.1.el9_1
audit-3.0.7-103.el9
How reproducible:
Not deterministic.
Steps to Reproduce:
1. Have RHEL 9 installed.
2. Install debuginfos for all packages:
rpm -qa | grep -v gpg-pubkey | xargs dnf -y --nogpgcheck debuginfo-install --exclude '*-debugsource'
3. Install annocheck:
dnf install -y annobin-annocheck
4. Run annocheck for multiple files:
find -H /etc /opt /srv /usr /var -ignore_readdir_race -type f -size +3c -print0 \
| xargs -0 – annocheck --verbose --ignore-unknown --skip-all --test-gnu-relro --test-pie --test-pic --test-bind-now --test-stack-prot 5. Check journal with journalctl -b 0. |
Actual results:
Sometimes, one or a number of
auditd: Error receiving audit netlink packet (No buffer space available)
messages.
Expected results:
No such messages.
Additional info:
This does not always happen and we do not have a good standalone reproducer. We've observed it on our SCAP security guide-hardened system with the ospp profile when we added installation of full set of debuginfos for the annocheck test. It might actually be the installation of those package and not the annocheck operation that causes this.
We first thought that this is related to the kernel audit buffer getting full with some events but the message seems to be coming from the recvfrom getting ENOBUFS at https://github.com/linux-audit/audit-userspace/blob/master/lib/netlink.c#L102-L115, so it's some socket operation returning error.
- duplicates
-
-
- Release Pending
-
- external trackers
- links to
