Hide Forgot
Created attachment 483208 [details] Syslog with error of auditd Description of problem:Auditd is sleeping forever on system shutdown, or reboot. Hanged up daemon is freezing machine shutdown process. In syslog there is information: Feb 10 01:23:33 localhost auditd[1410]: Error receiving audit netlink packet (No buffer space available) Feb 10 01:23:33 localhost auditd[1410]: Error sending signal_info request (No buffer space available) Feb 10 01:23:33 localhost auditd[1410]: The audit daemon is exiting. Version-Release number of selected component (if applicable): audit-2.0.6-1.el6.x86_64 How reproducible: Almost always Steps to Reproduce: 1. Install system 2. switch it off by shutdown -h now, or shutdown -r now, or reboot... 3. Auditd will fail to stop and will freeze shutdown process Actual results: Auditd fails to stop Expected results: Auditd is stoping properly. Additional info:
What audit rules do you have loaded? It sounds like on shutdown lots of events were created that flooded the audit system.
Nothing special. It was fresh install of Red Hat 6.1 without any changes.
What kind of events did you get around shutdown? You can run aureport --start 08:00:00 assuming you started shutdown around that time. The same audit package is on Fedora 14 and we have no reports of this issue. The shutdown code is also the same as shipped in RHEL6 GA. So, there is something going on with your system that we need to better understand.
I'll give you answer on friday or monday.
Output from aureport: Summary Report ====================== Range of time in logs: 03/13/2011 20:07:21.325 - 03/13/2011 20:14:14.138 Selected time for report: 03/13/2011 12:09:00 - 03/13/2011 20:14:14.138 Number of changes in configuration: 2 Number of changes to accounts, groups, or roles: 0 Number of logins: 3 Number of failed logins: 0 Number of authentications: 4 Number of failed authentications: 0 Number of users: 2 Number of terminals: 7 Number of host names: 3 Number of executables: 4 Number of files: 0 Number of AVC's: 0 Number of MAC events: 4 Number of failed syscalls: 0 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 7 Number of keys: 0 Number of process IDs: 11 Number of events: 68314
That is showing more than 68,000 events in 7 minutes. That is not normal. Maybe try this and see what kind of events are being triggered (you supply the same time range as the above report): aureport --event --summary -i
I got: Event Summary Report ====================== total type ====================== 65604 USER_END 5 CRYPTO_KEY_USER 3 USER_START 2 USER_ROLE_CHANGE 2 LOGIN 2 USER_AUTH 2 USER_ACCT 2 CRED_ACQ 2 CRYPTO_SESSION 1 CRED_REFR 1 USER_LOGIN 1 CRED_DISP So i see that user_end event may cause this issue.. But this is new install, and i was logged into it twice.
OK, looks like we have a candidate. I want to make sure we know which program is doing this. I would suspect sshd, but we need to check: ausearch --start <add you time range here> -m user_end --raw | aureport -x --summary
Yes. It is sshd.
Executable Summary Report ================================= total file ================================= 71415 /usr/sbin/sshd 2 /usr/sbin/crond
This problem seems to be a duplicate of bug 680722. It is supposed to be fixed in version 5.3-41. So, updating to it or later should resolve the problem. Thanks.
*** This bug has been marked as a duplicate of bug 680722 ***