audit.53 kernel
Steve Grubb
sgrubb at redhat.com
Thu Jun 2 21:46:15 UTC 2005
On Thursday 02 June 2005 16:15, Steve Grubb wrote:
> This was after syslog had stopped logging so I couldn't get
> anything.
I have some more information. There are 2 problems. One is that the rules come
back to life. If you set a watch on /bin/sh, you see when shell scripts get
called on shutdown.
The other problem is an oops. It only occurs if auditing is enabled during
shutdown. When auditing is disabled, you get the inodes busy message. I also
found that I get the oops on shutdown with only this command entered:
auditctl -w /var/gdm/.gdmfifo -k pipe -p rwea
The information I was able to collect is:
EIP: 0xf0888105
EIP is at ext3_put_super
process unmount (pid 3380
call trace:
generic_shutdown_super
kill_block_super
deactivate_super
sys_unmount
audit_syscall_entry
do_syscall_trace
syscall_call
/etc/rc0.d/S01halt: line 14: 3380 segmentation fault
unmounting filesystems
umount2 invalid argument
Checking gdb for EIP shows an invalid address.
-Steve
More information about the Linux-audit
mailing list