From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrey Kulikov Subject: auditd hangs Date: Tue, 17 May 2016 11:49:05 +0300 Message-ID: <573ADB01.2020000@corp.mail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u4H8n9LM009901 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 17 May 2016 04:49:09 -0400 Received: from mail1.odnoklassniki.ru (mail1.odnoklassniki.ru [188.93.58.117]) by mx1.redhat.com (Postfix) with ESMTP id 321DD80E42 for ; Tue, 17 May 2016 08:49:07 +0000 (UTC) Received: from es.mail.ru (m2echs3.mail.msk [172.20.0.20]) by mail1.odnoklassniki.ru (Postfix) with ESMTP id D5AC52A00C5 for ; Tue, 17 May 2016 11:49:05 +0300 (MSK) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi everyone, We have several thousands hosts running CentOS 7. Every day auditd stops writing audit.log on 2-3 of them (different hosts every day). Here is strace output: # strace -p 17306 Process 17306 attached epoll_wait(7, {}, 64, 59743) = 0 epoll_wait(7, {}, 64, 59743) = 0 epoll_wait(7, {}, 64, 59743) = 0 epoll_wait(7, {}, 64, 59743) = 0 epoll_wait(7, {}, 64, 59743) = 0 epoll_wait(7, {}, 64, 59743) = 0 epoll_wait(7, {}, 64, 59743) = 0 epoll_wait(7, 7fb4c3302be0, 64, 59743) = -1 EINTR (Interrupted system call) --- SIGHUP {si_signo=SIGHUP, si_code=SI_USER, si_pid=2728, si_uid=0} --- write(8, "\1\0\0\0\0\0\0\0", 8) = 8 rt_sigreturn() = -1 EINTR (Interrupted system call) epoll_wait(7, {{EPOLLIN, {u32=8, u64=4294967304}}}, 64, 59743) = 1 read(8, "\1\0\0\0\0\0\0\0", 8) = 8 sendto(3, "\20\0\0\0\362\3\5\0\4\0\0\0\0\0\0\0", 16, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 16 poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}]) recvfrom(3, "$\0\0\0\2\0\0\0\4\0\0\0\232C\0\0\0\0\0\0\20\0\0\0\362\3\5\0\4\0\0\0"..., 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 recvfrom(3, "$\0\0\0\2\0\0\0\4\0\0\0\232C\0\0\0\0\0\0\20\0\0\0\362\3\5\0\4\0\0\0"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36 epoll_wait(7, {{EPOLLIN, {u32=3, u64=4294967299}}}, 64, 59743) = 1 recvfrom(3, "N\0\0\0\362\3\0\0\4\0\0\0\232C\0\0\363\3\0\0\217C\0\0unconfin"..., 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 80 mmap(NULL, 8392704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb4be5da000 mprotect(0x7fb4be5da000, 4096, PROT_NONE) = 0 clone(child_stack=0x7fb4bedd9eb0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x7fb4bedda9d0, tls=0x7fb4bedda700, child_tidptr=0x7fb4bedda9d0) = 3014 epoll_wait(7, ... and line "epoll_wait(7," repeated infinitely. auditd restart helps, but I thint this is a bug. What can be causes of the problem? Thanks for your help in advance! -- Regards, Andrey Kulikov.