auditd hangs

Richard Guy Briggs rgb at redhat.com
Tue May 17 17:15:45 UTC 2016 

On 16/05/17, Andrey Kulikov wrote:
> Hi everyone,
> 
> We have several thousands hosts running CentOS 7. Every day auditd
> stops writing audit.log on 2-3 of them (different hosts every day).

Without more information, I suspect it is this bug here:
	https://bugzilla.redhat.com/show_bug.cgi?id=1253123

Is there any complaint in the syslog about auditd disappearing?

> Here is strace output:
> 
> # strace -p 17306
> Process 17306 attached
> epoll_wait(7, {}, 64, 59743)            = 0
> epoll_wait(7, {}, 64, 59743)            = 0
> epoll_wait(7, {}, 64, 59743)            = 0
> epoll_wait(7, {}, 64, 59743)            = 0
> epoll_wait(7, {}, 64, 59743)            = 0
> epoll_wait(7, {}, 64, 59743)            = 0
> epoll_wait(7, {}, 64, 59743)            = 0
> epoll_wait(7, 7fb4c3302be0, 64, 59743)  = -1 EINTR (Interrupted system call)
> --- SIGHUP {si_signo=SIGHUP, si_code=SI_USER, si_pid=2728, si_uid=0} ---
> write(8, "\1\0\0\0\0\0\0\0", 8)         = 8
> rt_sigreturn()                          = -1 EINTR (Interrupted system call)
> epoll_wait(7, {{EPOLLIN, {u32=8, u64=4294967304}}}, 64, 59743) = 1
> read(8, "\1\0\0\0\0\0\0\0", 8)          = 8
> sendto(3, "\20\0\0\0\362\3\5\0\4\0\0\0\0\0\0\0", 16, 0,
> {sa_family=AF_NETLINK,
> pid=0, groups=00000000}, 12) = 16
> poll([{fd=3, events=POLLIN}], 1, 500)   = 1 ([{fd=3, revents=POLLIN}])
> recvfrom(3,
> "$\0\0\0\2\0\0\0\4\0\0\0\232C\0\0\0\0\0\0\20\0\0\0\362\3\5\0\4\0\0\0"...,
> 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
> [12]) = 36
> recvfrom(3,
> "$\0\0\0\2\0\0\0\4\0\0\0\232C\0\0\0\0\0\0\20\0\0\0\362\3\5\0\4\0\0\0"...,
> 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
> [12]) = 36
> epoll_wait(7, {{EPOLLIN, {u32=3, u64=4294967299}}}, 64, 59743) = 1
> recvfrom(3,
> "N\0\0\0\362\3\0\0\4\0\0\0\232C\0\0\363\3\0\0\217C\0\0unconfin"..., 8988,
> MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 80
> mmap(NULL, 8392704, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK,
> -1, 0) = 0x7fb4be5da000
> mprotect(0x7fb4be5da000, 4096, PROT_NONE) = 0
> clone(child_stack=0x7fb4bedd9eb0,
> flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
> parent_tidptr=0x7fb4bedda9d0, tls=0x7fb4bedda700,
> child_tidptr=0x7fb4bedda9d0)
> = 3014
> epoll_wait(7,
> 
> ... and line "epoll_wait(7," repeated infinitely.
> 
> auditd restart helps, but I thint this is a bug. What can be causes
> of the problem?
> 
> Thanks for your help in advance!
> 
> --
> Regards,
> Andrey Kulikov.
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list