audit.20 kernel

Steve Grubb sgrubb at redhat.com
Mon Apr 11 19:49:53 UTC 2005 

On Monday 11 April 2005 15:13, David Woodhouse wrote:
> Is the audit dæmon flushing the queue completely before it shuts down,
> or just exiting immediately?

I did this:

strace /sbin/auditd -f

and got this:

recvfrom(3, "$\0\0\0\2\0\0\0\1\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"..., 
1216, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 
36
write(2, "Init complete, audit pid set to:"..., 37Init complete, audit pid set 
to: 4033) = 37
write(2, "\n", 1
)                       = 1
select(4, [3], NULL, NULL, {30, 0})     = 1 (in [3], left {30, 0})
recvfrom(3, ";\0\0\0\320\7\0\0\0\0\0\0\0\0\0\0audit(1113248675"..., 1216, 
MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 75
futex(0x8050ea0, FUTEX_WAKE, 1)         = 1
futex(0x8050e9c, FUTEX_WAKE, 1)         = 1
futex(0x8050e84, FUTEX_WAKE, 1type=KERNEL msg=audit(1113248675.648:0): 
audit_enabled=1 old=1 by auid 4325
)         = 1
select(4, [3], NULL, NULL, {30, 0})     = 1 (in [3], left {30, 0})
recvfrom(3, "$\0\0\0\2\0\0\0\2\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"..., 
1216, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 
36
select(4, [3], NULL, NULL, {30, 0})     = ? ERESTARTNOHAND (To be restarted)
--- SIGCONT (Continued) @ 0 (0) ---
select(4, [3], NULL, NULL, {16, 36000}) = ? ERESTARTNOHAND (To be restarted)
--- SIGCONT (Continued) @ 0 (0) ---


In another terminal, I did this:
 kill -s SIGCONT 4033

When sigterm is sent, I get this:

select(4, [3], NULL, NULL, {30, 0})     = ? ERESTARTNOHAND (To be restarted)
--- SIGTERM (Terminated) @ 0 (0) ---
write(2, "Signal 15\n", 10Signal 15
)             = 10
sigreturn()                             = ? (mask now [])
getuid32()                              = 0
time(NULL)                              = 1113248847
futex(0x8050ea0, FUTEX_WAKE, 1)         = 1
futex(0x8050e9c, FUTEX_WAKE, 1)         = 1
futex(0x8050e84, FUTEX_WAKE, 1type=DAEMON msg=auditd(1113248847) auditd normal 
halt, pid=4033, uid=0
)         = 1
sched_yield()                           = 0
rt_sigaction(SIGALRM, {0x8049627, [], SA_RESTORER, 0xc957e8}, NULL, 8) = 0
alarm(5)                                = 0
write(2, "The audit daemon is exiting.", 28The audit daemon is exiting.) = 28
write(2, "\n", 1
)                       = 1
sendto(3, "0\0\0\0\351\3\5\0\3\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0"..., 48, 0, 
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 48
nanosleep({0, 100000000}, NULL)         = 0
recvfrom(3, "$\0\0\0\2\0\0\0\3\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"..., 
1216, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 
[12]) = 36
recvfrom(3, "$\0\0\0\2\0\0\0\3\0\0\0\301\17\0\0\0\0\0\0000\0\0\0\351"..., 
1216, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 
36
nanosleep({0, 100000000}, NULL)         = 0
recvfrom(3, 0xbfe4d4c0, 1216, 64, 0xbfe4d470, 0xbfe4d46c) = -1 EAGAIN 
(Resource temporarily unavailable)
close(3)                                = 0
unlink("/var/run/auditd.pid")           = 0
munmap(0xb7f32000, 4096)                = 0
exit_group(0)                           = ?

Again, no sign of a signal to the audit daemon event.

-Steve

More information about the Linux-audit mailing list