Crash when loading the rules

Laurent Bigonville bigon at debian.org
Wed Jul 6 15:26:44 UTC 2016 

Le 06/07/16 à 17:23, Steve Grubb a écrit :
> On Wednesday, July 6, 2016 4:49:58 PM EDT Laurent Bigonville wrote:
>> Hi,
>>
>> With 2.6.3, when loading the rules, it's crashing and I get the
>> following backtrace:
>>
>> #0  0x00007ffff687e99d in writev () at ../sysdeps/unix/syscall-template.S:84
>> #1  0x00005555555610ab in dispatch_event (rep=<optimized out>, is_err=0) at
>> ../../../src/auditd-dispatch.c:189
>> #2  0x000055555555a700 in distribute_event (e=0x555555779d80) at
>> ../../../src/auditd.c:216
>> #3  0x000055555555aac8 in netlink_handler (loop=<optimized out>,
>> io=<optimized out>, revents=<optimized out>) at ../../../src/auditd.c:500
>> #4  0x0000555555562eb7 in ev_invoke_pending (loop=0x555555773e80
>> <default_loop_struct>) at ../../../../src/libev/ev.c:3162
>> #5  0x000055555556623d in ev_run (loop=0x555555773e80
>> <default_loop_struct>, flags=0) at ../../../../src/libev/ev.c:3562
>> #6  0x0000555555559e06 in ev_loop (flags=0, loop=0x555555773e80
>> <default_loop_struct>) at ../../../src/libev/ev.h:835
>> #7  main (argc=<optimized out>, argv=<optimized out>) at
>> ../../../src/auditd.c:841
>>
>> The rules are pretty dump:
>>
>> -D
>> -b 8192
>> -f 1
>> --backlog_wait_time 0
>>
>> An idea what's going on?
> By any chance does syslog show that the dispatcher exited due to no active
> plugins?

This is what I see in syslog:

Jul  6 17:25:15 valinor systemd[1]: Starting Security Auditing Service...
Jul  6 17:25:15 valinor auditd[604]: Started dispatcher: /sbin/audispd 
pid: 608
Jul  6 17:25:15 valinor audispd: priority_boost_parser called with: 4
Jul  6 17:25:15 valinor audispd: max_restarts_parser called with: 10
Jul  6 17:25:15 valinor audispd: No plugins found, exiting
Jul  6 17:25:15 valinor augenrules[605]: /sbin/augenrules: No change
Jul  6 17:25:15 valinor auditd[604]: Init complete, auditd 2.6.3 
listening for events (startup state enable)
Jul  6 17:25:15 valinor augenrules[605]: No rules
Jul  6 17:25:15 valinor augenrules[605]: enabled 1
Jul  6 17:25:15 valinor augenrules[605]: failure 1
Jul  6 17:25:15 valinor augenrules[605]: pid 604
Jul  6 17:25:15 valinor augenrules[605]: rate_limit 0
Jul  6 17:25:15 valinor augenrules[605]: backlog_limit 8192
Jul  6 17:25:15 valinor augenrules[605]: lost 35778
Jul  6 17:25:15 valinor augenrules[605]: backlog 6
Jul  6 17:25:15 valinor augenrules[605]: backlog_wait_time 0
Jul  6 17:25:15 valinor augenrules[605]: enabled 1
Jul  6 17:25:15 valinor augenrules[605]: failure 1
Jul  6 17:25:15 valinor augenrules[605]: pid 604
Jul  6 17:25:15 valinor augenrules[605]: rate_limit 0
Jul  6 17:25:15 valinor augenrules[605]: backlog_limit 8192
Jul  6 17:25:15 valinor augenrules[605]: lost 35778
Jul  6 17:25:15 valinor augenrules[605]: backlog 7
Jul  6 17:25:15 valinor augenrules[605]: backlog_wait_time 0
Jul  6 17:25:15 valinor augenrules[605]: enabled 1
Jul  6 17:25:15 valinor augenrules[605]: failure 1
Jul  6 17:25:15 valinor augenrules[605]: pid 604
Jul  6 17:25:15 valinor augenrules[605]: rate_limit 0
Jul  6 17:25:15 valinor augenrules[605]: backlog_limit 8192
Jul  6 17:25:15 valinor augenrules[605]: lost 35778
Jul  6 17:25:15 valinor augenrules[605]: backlog 8
Jul  6 17:25:15 valinor augenrules[605]: backlog_wait_time 0
Jul  6 17:25:16 valinor systemd[1]: Started Security Auditing Service.
Jul  6 17:25:16 valinor systemd[1]: Started Process Core Dump (PID 
619/UID 0).
Jul  6 17:25:16 valinor kernel: [20575.773688] audit: netlink_unicast 
sending to audit_pid=604 returned error: -111
Jul  6 17:25:16 valinor systemd[1]: auditd.service: Main process exited, 
code=dumped, status=11/SEGV
Jul  6 17:25:16 valinor systemd[1]: auditd.service: Unit entered failed 
state.
Jul  6 17:25:16 valinor systemd[1]: auditd.service: Failed with result 
'core-dump'.

More information about the Linux-audit mailing list