[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: System hangs using audit-0.9.9 (and few versions before)

I just tried the same thing on my 2 CPU ia64 box (.65 kernel and 0.9.10
audit tools) and on my system, the system doesn't hang but it doesn't
work either.

Where your system hung, just my window hangs.  I can see that the
auditd script is trying to do an auditctl -D and the auditctl process is
running constantly and can't be killed.

The first time I did this I forgot that I had some rules in the rules
file that would cause all syscalls with my uid to be audited.  When
that happened, not only was auditctl running constantly but all my
processes seemed to go wild.  Touching any window caused shell prompts
to start scrolling off the screen, etc.  I could ssh in and that seemed
to work ok but the messages file (because there was no auditd) was
filling up.  There were lots of select, read, sigprocmask, ... syscalls
being audited, like signals gone wild?.

Anyone else tried this?

-- ljk

PS  I'd experiment some more tonight but I have to leave soon (my SO's
birthday).  I can try more tomorrow.

Loulwa Salem wrote:
I had a problem with the system hanging while running a test case that exercises the boundary limits on path name and file name while inserting watches. This seemed to only occur on SMP machines. I also tried the test case on audit (0.9.4 -> 0.9.9) and it seemed to break on all those versions regardless of the kernel version running.

The system hung when attempting to stop audit after trying to insert a watch on a long filename (> NAME_MAX).

With audit0.9.10 (and the latest kernel.65) the problem seemed to just go away.. I am not sure what changed in the code to fix it ... but I thought it would be good to report it in case someone encounters a similar problem again ... also it would be nice if we know what happened to fix it .. or break it in the first place ...

Thanks for Klaus ... helping narrow the problem down.

To reproduce :
# /sbin/auditctl -w /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -k good-key
>> The base name of the path is too big

#/etc/init.d/auditd restart
 >> Stopping auditd:                                           [  OK  ]
 >> Starting auditd:                                           [  OK  ]

# /sbin/auditctl -w /tmp/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -k good-key
>> The base name of the path is too big

# /etc/init.d/auditd restart
 >>Stopping auditd:                                           [  OK  ]
------ IT hangs here -------


Linux-audit mailing list
Linux-audit redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]