auditd hanging the system...
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Mar 14 23:06:35 UTC 2006
On Tue, 14 Mar 2006 17:37:48 EST, Steve Grubb said:
> On Tuesday 14 March 2006 17:23, Valdis.Kletnieks at vt.edu wrote:
> > Obviously looks like something is getting seriously stuck and replicating
> > messages.
> >
> > Plus, it looks like there's some basic info missing on the
> > 'type=SOCKETCALL', like the issuing process ID, etc....
>
> Hmm. I wonder who's guilty. Its either kernel or userspace. One way to cut th
e
> problem in half is to let messages go to syslog, but still load the audit
> rules. I'd alter the initscript to not start it.
Yee. Hah. Didn't take but a little time, and suddenly the disk lit up
again - this time it was syslogd scribbling, so it looks like a 2.6.15-rc5-mm3
issue:
Mar 14 18:02:09 turing-police kernel: [21744.040000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 16 times
Mar 14 18:02:10 turing-police kernel: [21744.044000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 91 times
Mar 14 18:02:10 turing-police kernel: [21744.048000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 107 times
Mar 14 18:02:10 turing-police kernel: [21744.052000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 94 times
Mar 14 18:02:10 turing-police kernel: [21744.056000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 108 times
Mar 14 18:02:10 turing-police kernel: [21744.060000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 87 times
Mar 14 18:02:10 turing-police kernel: [21744.060000] audit(0.000:267): nargs=2 a0=7 a1=4
Mar 14 18:02:10 turing-police kernel: [21744.060000] audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337373332322D363335303934
Mar 14 18:02:10 turing-police kernel: [21744.060000] audit(0.000:267): nargs=3 a0=7 a1=bfb79c90 a2=27
Mar 14 18:02:10 turing-police kernel: [21744.060000] audit(0.000:267): nargs=3 a0=1 a1=1 a2=0
Mar 14 18:02:10 turing-police kernel: [21744.064000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 108 times
Mar 14 18:02:10 turing-police kernel: [21744.068000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 97 times
Mar 14 18:02:10 turing-police kernel: [21744.072000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 64 times
Mar 14 18:02:10 turing-police kernel: [21744.072000] audit(0.000:267): nargs=3 a0=7 a1=bfb79cd4 a2=0
Mar 14 18:02:10 turing-police kernel: [21744.072000] audit(0.000:267): nargs=3 a0=7 a1=bfb79cd4 a2=0
Mar 14 18:02:10 turing-police kernel: [21744.072000] audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337373234352D323032303434
Mar 14 18:02:10 turing-police kernel: [21744.072000] audit(0.000:267): nargs=3 a0=7 a1=bfb79ca0 a2=27
Mar 14 18:02:10 turing-police kernel: [21744.072000] audit(0.000:267): nargs=3 a0=1 a1=1 a2=0
Mar 14 18:02:10 turing-police kernel: [21744.072000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 40 times
Mar 14 18:02:10 turing-police kernel: [21744.076000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 102 times
Mar 14 18:02:10 turing-police kernel: [21744.080000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 99 times
Mar 14 18:02:10 turing-police kernel: [21744.080000] audit(0.000:267): nargs=2 a0=7 a1=4
Mar 14 18:02:10 turing-police kernel: [21744.080000] audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337373234352D323032303434
Mar 14 18:02:10 turing-police kernel: [21744.080000] audit(0.000:267): nargs=3 a0=7 a1=bfb79c90 a2=27
Mar 14 18:02:10 turing-police kernel: [21744.080000] audit(0.000:267): nargs=3 a0=1 a1=1 a2=0
Mar 14 18:02:10 turing-police kernel: [21744.080000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 5 times
Mar 14 18:02:10 turing-police kernel: [21744.084000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 91 times
Mar 14 18:02:10 turing-police kernel: [21744.088000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 106 times
Mar 14 18:02:10 turing-police kernel: [21744.092000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 89 times
Mar 14 18:02:10 turing-police kernel: [21744.092000] audit(0.000:267): nargs=2 a0=7 a1=4
Mar 14 18:02:10 turing-police kernel: [21744.092000] audit(0.000:267): saddr=01002F746D702F616C73612D646D69782D393632352D313134323337373233372D363635333438
Mar 14 18:02:10 turing-police kernel: [21744.092000] audit(0.000:267): nargs=3 a0=7 a1=bfb79c90 a2=27
Mar 14 18:02:10 turing-police kernel: [21744.092000] audit(0.000:267): nargs=3 a0=1 a1=1 a2=0
Mar 14 18:02:10 turing-police kernel: [21744.092000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
Mar 14 18:02:10 turing-police last message repeated 6 times
Mar 14 18:02:10 turing-police kernel: [21744.096000] audit(0.000:267): nargs=3 a0=4 a1=bfb7a4f8 a2=bfb7a4a0
That's the first second or so of the spew, which continued until 18:02:33.
Interesting that the event is *again* 267......
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060314/a7b492ff/attachment.sig>
More information about the Linux-audit
mailing list