auditd hanging the system...

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Mar 14 22:23:50 UTC 2006 

Running the Fedora devel tree as of a few days ago, and a 2.6.16-rc5-mm3 kernel.

Several times today, my laptop has seized up, with the 'disk activity' light
on solid.  After 30 to 120 seconds, it returns.  Some poking around after
the last hit finds this:

# ls -l /var/log/audit/
total 25423
-rw-r----- 1 root root 1799972 Mar 14 17:11 audit.log
-r--r----- 1 root root 5242905 Mar 14 17:06 audit.log.1
-r--r----- 1 root root 5242919 Mar 14 17:05 audit.log.2
-r--r----- 1 root root 5242943 Mar 14 15:11 audit.log.3
-r--r----- 1 root root 8388705 Oct  3 14:59 audit.log.4

Wow, something happened at 17:06 or so that caused it to roll through 5 meg of
audit in a minute.  So let's take a look at it:

# ausearch -if /var/log/audit/audit.log.1 | uniq -c | more
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
   1526 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
      2 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0
      1 type=SYSCALL_PARTIAL msg=audit(0.000:272):  success=yes exit=14 items=0 pid=9616 auid=967 uid=967 gid=967 euid=967 suid=967 fsuid=967 egid=967 sgid=967 fsgid=967 tty=(none) comm="gkrellm" exe="/usr/bin/gkrellm" subj=user_u:user_r:user_t:s0
      1 type=AVC msg=audit(0.000:272): avc:  denied  { create } for  pid=9616 comm="gkrellm" scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=udp_socket
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
     94 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    190 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    294 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    157 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    205 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    149 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
     39 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    147 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    189 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    248 type=SOCKETCALL msg=audit(0.000:272): nargs=3 a0=2 a1=2 a2=0

<here we skip several hundred more of these>
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
    296 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
      1 type=AVC_PATH msg=audit(0.000:272):  path="socket:[782960]"
      1 type=SYSCALL_PARTIAL msg=audit(0.000:272):  success=yes exit=0 items=0 pid=9616 auid=967 uid=967 gid=967 euid=967 suid=967 fsuid=967 egid=967 sgid=967 fsgid=967 tty=(none) comm="gkrellm" exe="/usr/bin/gkrellm" subj=user_u:user_r:user_t:s0
      1 type=AVC msg=audit(0.000:272): avc:  denied  { ioctl } for  pid=9616 comm="gkrellm" name="[782960]" dev=sockfs ino=782960 scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=udp_socket
      1 ----
      1 time->Wed Dec 31 19:00:00 1969
     42 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=b a1=1 a2=7 a3=bfb7a408 a4=4
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=b a1=1 a2=8 a3=bfb7a408 a4=4
    198 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=1 a1=1 a2=0
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=7 a1=bfb79c90 a2=27
      1 type=SOCKADDR msg=audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337313131372D373837303635
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=2 a0=7 a1=4
    194 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=7 a3=bfb7a468 a4=4
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=8 a3=bfb7a468 a4=4
      3 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=7 a3=bfb7a408 a4=4
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=5 a0=7 a1=1 a2=8 a3=bfb7a408 a4=4
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=1 a1=1 a2=0
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=8 a1=bfb79c90 a2=27
      1 type=SOCKADDR msg=audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337313133322D383030303731
      1 type=SOCKETCALL msg=audit(0.000:267): nargs=2 a0=8 a1=4
    852 type=SOCKETCALL msg=audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0

Obviously looks like something is getting seriously stuck and replicating messages.

Plus, it looks like there's some basic info missing on the 'type=SOCKETCALL',
like the issuing process ID, etc....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060314/ba1cadba/attachment.sig>

More information about the Linux-audit mailing list