System hangs using audit-0.9.9 (and few versions before)
Loulwa Salem
loulwas at us.ibm.com
Tue Jun 21 23:58:28 UTC 2005
Steve Grubb wrote:
> You might try 0.9.11 and see if that solves your problem. There are some
> variances in kernels that cause netlink to behave strangely - which is why
> I've had so many iterations trying to solve the user's can't login problem. I
> think 0.9.11 finally solves that problem.
I am on an SMP x86_64 platform (kernel .65)
I tried the 0.9.11 audit ... and it hung (waited on it for 7.5 minutes
but I was able to do ctrl-z to stop the test) ... however I believe the
run left the system in an unstable state considering it wouldn't respond
to a reboot command, and had to be force rebooted anyway. Before I
rebooted .. I got this ps -ef | grep audit output:
root 2311 11 0 18:38 ? 00:00:00 [kauditd]
root 3000 2946 0 18:40 pts/1 00:00:00 /bin/bash
/etc/rc.d/init.d/auditd stop
root 3008 3000 99 18:40 pts/1 00:01:17 /sbin/auditctl -D
root 3009 13 19 18:40 ? 00:00:14 [audit_list_rule]
root 3017 2899 0 18:41 pts/0 00:00:00 grep audit
I went back to the 0.9.10 version and it worked but slowly ... I did end
up with a lot of hanging processes regarding [audit_list_watch] and
[audit_list_rules] ... When I tried to do kill -9 on any of those
processes ... it didn't have any effect.
Sample (ps -ef | grep audit). Notice auditd isn't even running:
root 2311 11 0 18:38 ? 00:00:00 [kauditd]
root 3008 1 99 18:40 pts/1 00:07:00 /sbin/auditctl -D
root 3009 13 25 18:40 ? 00:01:49 [audit_list_rule]
root 3048 11 0 18:43 ? 00:00:00 [audit_list_rule]
root 3049 13 0 18:43 ? 00:00:00 [audit_list_watc]
root 3050 13 0 18:43 ? 00:00:00 [audit_list_rule]
root 3051 11 0 18:43 ? 00:00:00 [audit_list_watc]
.....
root 3820 13 0 18:46 ? 00:00:00 [audit_list_rule]
root 3821 11 0 18:46 ? 00:00:00 [audit_list_watc]
root 3826 2899 0 18:47 pts/0 00:00:00 grep audit
- Loulwa
More information about the Linux-audit
mailing list