Crash when loading the rules
Laurent Bigonville
bigon at debian.org
Wed Jul 6 15:26:44 UTC 2016
Le 06/07/16 à 17:23, Steve Grubb a écrit :
> On Wednesday, July 6, 2016 4:49:58 PM EDT Laurent Bigonville wrote:
>> Hi,
>>
>> With 2.6.3, when loading the rules, it's crashing and I get the
>> following backtrace:
>>
>> #0 0x00007ffff687e99d in writev () at ../sysdeps/unix/syscall-template.S:84
>> #1 0x00005555555610ab in dispatch_event (rep=<optimized out>, is_err=0) at
>> ../../../src/auditd-dispatch.c:189
>> #2 0x000055555555a700 in distribute_event (e=0x555555779d80) at
>> ../../../src/auditd.c:216
>> #3 0x000055555555aac8 in netlink_handler (loop=<optimized out>,
>> io=<optimized out>, revents=<optimized out>) at ../../../src/auditd.c:500
>> #4 0x0000555555562eb7 in ev_invoke_pending (loop=0x555555773e80
>> <default_loop_struct>) at ../../../../src/libev/ev.c:3162
>> #5 0x000055555556623d in ev_run (loop=0x555555773e80
>> <default_loop_struct>, flags=0) at ../../../../src/libev/ev.c:3562
>> #6 0x0000555555559e06 in ev_loop (flags=0, loop=0x555555773e80
>> <default_loop_struct>) at ../../../src/libev/ev.h:835
>> #7 main (argc=<optimized out>, argv=<optimized out>) at
>> ../../../src/auditd.c:841
>>
>> The rules are pretty dump:
>>
>> -D
>> -b 8192
>> -f 1
>> --backlog_wait_time 0
>>
>> An idea what's going on?
> By any chance does syslog show that the dispatcher exited due to no active
> plugins?
This is what I see in syslog:
Jul 6 17:25:15 valinor systemd[1]: Starting Security Auditing Service...
Jul 6 17:25:15 valinor auditd[604]: Started dispatcher: /sbin/audispd
pid: 608
Jul 6 17:25:15 valinor audispd: priority_boost_parser called with: 4
Jul 6 17:25:15 valinor audispd: max_restarts_parser called with: 10
Jul 6 17:25:15 valinor audispd: No plugins found, exiting
Jul 6 17:25:15 valinor augenrules[605]: /sbin/augenrules: No change
Jul 6 17:25:15 valinor auditd[604]: Init complete, auditd 2.6.3
listening for events (startup state enable)
Jul 6 17:25:15 valinor augenrules[605]: No rules
Jul 6 17:25:15 valinor augenrules[605]: enabled 1
Jul 6 17:25:15 valinor augenrules[605]: failure 1
Jul 6 17:25:15 valinor augenrules[605]: pid 604
Jul 6 17:25:15 valinor augenrules[605]: rate_limit 0
Jul 6 17:25:15 valinor augenrules[605]: backlog_limit 8192
Jul 6 17:25:15 valinor augenrules[605]: lost 35778
Jul 6 17:25:15 valinor augenrules[605]: backlog 6
Jul 6 17:25:15 valinor augenrules[605]: backlog_wait_time 0
Jul 6 17:25:15 valinor augenrules[605]: enabled 1
Jul 6 17:25:15 valinor augenrules[605]: failure 1
Jul 6 17:25:15 valinor augenrules[605]: pid 604
Jul 6 17:25:15 valinor augenrules[605]: rate_limit 0
Jul 6 17:25:15 valinor augenrules[605]: backlog_limit 8192
Jul 6 17:25:15 valinor augenrules[605]: lost 35778
Jul 6 17:25:15 valinor augenrules[605]: backlog 7
Jul 6 17:25:15 valinor augenrules[605]: backlog_wait_time 0
Jul 6 17:25:15 valinor augenrules[605]: enabled 1
Jul 6 17:25:15 valinor augenrules[605]: failure 1
Jul 6 17:25:15 valinor augenrules[605]: pid 604
Jul 6 17:25:15 valinor augenrules[605]: rate_limit 0
Jul 6 17:25:15 valinor augenrules[605]: backlog_limit 8192
Jul 6 17:25:15 valinor augenrules[605]: lost 35778
Jul 6 17:25:15 valinor augenrules[605]: backlog 8
Jul 6 17:25:15 valinor augenrules[605]: backlog_wait_time 0
Jul 6 17:25:16 valinor systemd[1]: Started Security Auditing Service.
Jul 6 17:25:16 valinor systemd[1]: Started Process Core Dump (PID
619/UID 0).
Jul 6 17:25:16 valinor kernel: [20575.773688] audit: netlink_unicast
sending to audit_pid=604 returned error: -111
Jul 6 17:25:16 valinor systemd[1]: auditd.service: Main process exited,
code=dumped, status=11/SEGV
Jul 6 17:25:16 valinor systemd[1]: auditd.service: Unit entered failed
state.
Jul 6 17:25:16 valinor systemd[1]: auditd.service: Failed with result
'core-dump'.
More information about the Linux-audit
mailing list