Auditd reconfigure using SIGHUP
Steve Grubb
sgrubb at redhat.com
Fri Jan 6 16:44:21 UTC 2017
Hello,
On Friday, January 6, 2017 6:29:59 AM EST Bhagwat, Shriniketan Manjunath
wrote:
> In my last email I missed mentioning the fix that I have implemented.
>
> Issue 1) As you said, I have fixed it by replacing the ev_signal by
> ev_child as below.
>
> struct ev_child sigchld_watcher;
>
> ev_child_init (&sigchld_watcher, child_handler, 0, 0);
> ev_child_start (EV_DEFAULT_ &sigchld_watcher);
>
> static void child_handler(EV_P_ ev_child *w, int revents)
> {
> int pid;
>
> if (w->rpid == dispatcher_pid()) {
> dispatcher_reaped();
> }
> }
I tried this as a first step yesterday but what happens is the problem gets
worse. It thinks the dispatcher is running all the time and never tries to
restart it.
> Issue 2) In auditd.c main(), child_handler is registered not immediately
> after init_dispatcher() is called. I have modified the audit to register
> ev_child immediately after init_dispatcher() as below. Or maybe before
> calling init_dispatcher(). This fixed issue 2 for me. Below extract is from
> documentation of libev for ev_child: " It is permissible to install a child
> watcher after the child has been forked (which implies it might have
> already exited), as long as the event loop isn't entered (or is continued
> from a watcher), i.e., forking and then immediately registering a watcher
> for the child is fine, but forking and registering a watcher a few event
> loop iterations later or in the next callback invocation is not."
>
> if (init_dispatcher(&config)) {
> if (pidfile)
> unlink(pidfile);
> tell_parent(FAILURE);
> return 1;
> }
> ev_child_init (&sigchld_watcher, child_handler, 0, 0);
> ev_child_start (EV_DEFAULT_ &sigchld_watcher);
>
> Issue 3) With the above fix for issue 2, I did not see the issue 3 getting
> occurred for me. This could be because shutdown_dispatcher() is called from
> dispatcher_reaped() where the status on the pipe is not checked.
Using the above code I still see the descriptor getting stepped on by
something. I have added some debug info to audispd in svn which makes the
problem more clear.
Jan 6 11:43:13 audispd: Failed setting up input(Bad file descriptor, -1),
exiting
In case anyone else wishes to have a regression test, here's some code:
#!/bin/sh
while [ 1 ]
do
echo "disabling sedispatch"
sed -i '/active/s/yes/no/' /etc/audisp/plugins.d/sedispatch.conf
kill -HUP `pidof auditd`
sleep 10
pstree -p `pidof auditd`
echo "enabling sedispatch"
sed -i '/active/s/no/yes/' /etc/audisp/plugins.d/sedispatch.conf
kill -HUP `pidof auditd`
sleep 10
pstree -p `pidof auditd`
done
Of course you might want to change the plugin that's being altered to
something else.
-Steve
More information about the Linux-audit
mailing list