[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: System hangs using audit-0.9.9 (and few versions before)



Steve Grubb wrote:

You might try 0.9.11 and see if that solves your problem. There are some variances in kernels that cause netlink to behave strangely - which is why I've had so many iterations trying to solve the user's can't login problem. I think 0.9.11 finally solves that problem.

I am on an SMP x86_64 platform (kernel .65)
I tried the 0.9.11 audit ... and it hung (waited on it for 7.5 minutes but I was able to do ctrl-z to stop the test) ... however I believe the run left the system in an unstable state considering it wouldn't respond to a reboot command, and had to be force rebooted anyway. Before I rebooted .. I got this ps -ef | grep audit output:


root 2311 11 0 18:38 ? 00:00:00 [kauditd]
root 3000 2946 0 18:40 pts/1 00:00:00 /bin/bash /etc/rc.d/init.d/auditd stop
root 3008 3000 99 18:40 pts/1 00:01:17 /sbin/auditctl -D
root 3009 13 19 18:40 ? 00:00:14 [audit_list_rule]
root 3017 2899 0 18:41 pts/0 00:00:00 grep audit


I went back to the 0.9.10 version and it worked but slowly ... I did end up with a lot of hanging processes regarding [audit_list_watch] and [audit_list_rules] ... When I tried to do kill -9 on any of those processes ... it didn't have any effect.

Sample (ps -ef | grep audit). Notice auditd isn't even running:
root      2311    11  0 18:38 ?        00:00:00 [kauditd]
root      3008     1 99 18:40 pts/1    00:07:00 /sbin/auditctl -D
root      3009    13 25 18:40 ?        00:01:49 [audit_list_rule]
root      3048    11  0 18:43 ?        00:00:00 [audit_list_rule]
root      3049    13  0 18:43 ?        00:00:00 [audit_list_watc]
root      3050    13  0 18:43 ?        00:00:00 [audit_list_rule]
root      3051    11  0 18:43 ?        00:00:00 [audit_list_watc]
.....
root      3820    13  0 18:46 ?        00:00:00 [audit_list_rule]
root      3821    11  0 18:46 ?        00:00:00 [audit_list_watc]
root      3826  2899  0 18:47 pts/0    00:00:00 grep audit

- Loulwa


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]