10-12-2005
auditing fails with SIGPIPE signal on 1/4 hour
Hi folks,
Can anyone assist with pointers for the following snag?
We have custom method (IBM-supplied) for running the audit subsystem on 5.1-07
/etc/security/audit objects, events and config have been edited, and the /etc/security/audit/streamcmds contains the following routine;
/usr/sbin/auditstream user,config,mail,cron,SRC | /usr/sbin/auditpr -vhelRtcrpP | /etc/security/audit/tosyslog &
The "tosyslog" scripts is a nawk routine that combines the output from the pipe into a single syslog record;
---------------------------------------------------------
#!/usr/bin/nawk -f
BEGIN {printf("%24s %8s %8s %13s Status Prog PID PPID: tail\n","date",
"login","real","Event") | "/usr/bin/logger -p local1.info -t AUDIT"}
/^[A-Z]/ {
line = 1;
head=sprintf("%s %s %2s %s %s %8s %8s %15s %4s %s %s %s",
$4,$5,$6,$7,$8,$2,$10, $1, $3,$9,$11,$12);
next}
/^[ \t]/ {
if (line==1) {sub("^[ \t]*","");
printf("%s: %s\n", head,$0)|"/usr/bin/logger -plocal5.info -t AU
DIT"
line=0}
next; }
---------------------------------------------------------
The snag I have is that on certain partitions, BUT not all of them (although they are built from identical images)the audit subsystem croakes on the first 1/4 hour (:00, :15, :30, :45) after it is executed.
I think it dies with a SIGPIPE signal from the kernel due to a reader process not being available at the end of a pipe.
Running the audit processes and then attaching truss to any of the piped commands and end script reveals the following;
root@<server>:init.d> ./rc.audit start
Checking for log dir [ OK ]
Starting system audit module [ OK ]
Logging auditing subsystem startup to syslog [ OK ]
root@<server>:init.d> ps -edf | grep audit
root 16900 82366 1 15:02:05 pts/2 0:00 grep audit
root 43924 1 1 15:02:00 pts/2 0:00 /usr/bin/nawk -f /etc/security/audit/tosyslog
root 78326 43924 0 15:02:00 - 0:00 /usr/sbin/auditpr -vhelRtcrpP
root 87420 43924 0 15:02:00 - 0:00 /usr/sbin/auditstream user,config,mail,cron,SRC
root@cbhspr2:init.d> truss -p 43924
kwrite(7, " T u e O c t 1 1 1".., 114) = 114
...
kwrite(7, " T u e O c t 1 1 1".., 117) Err#32 EPIPE
Received signal #13, SIGPIPE [default]
*** process killed ***
I can't figure-out why the SIGPIPE should be seen on the regular 1/4 hour, and why it should be seen only on certain (otherwise identical) partitions, and not others. I've compared the key files on the odd good servers with those that bomb, but there are no changes.
Any clues or pointers will be gratefully received (also posted on Tek-Tips but no responses).
Regards
recl
10 More Discussions You Might Find Interesting
1. HP-UX
I am trying to find out if there are any recommendations regarding what events/system calls should be audited as a starting point. I am new to the auditing side of things and am not really to sure what best to log - any ideas or know of any resources which make recommendations in this respect ??? (1 Reply)
Discussion started by: gmh
1 Replies
2. UNIX for Dummies Questions & Answers
My program:
__________________________________
#!/bin/ksh
DAY=`date +%y%m%d`
H=`date +%H`
M=`date +%M`
day=`date +%m/%d/%y`
let h=$H-1
echo DAY $DAY
echo H $H
echo M $M
echo day $day
echo h $h
_____________________________________
My result: (3 Replies)
Discussion started by: bobo
3 Replies
3. UNIX for Advanced & Expert Users
:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs.
Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies
4. Solaris
On a Solaris 8 print server we're continuously (every 2 minutes or so) getting these messages in the logs:
printd: Warning: Received SIGPIPE; continuing
I've applied this patch and restarted the printd daemon, but it doesn't help: #109320-22: SunOS 5.8: lp patch
Does anyone have any idea what... (4 Replies)
Discussion started by: aussieos
4 Replies
5. Programming
I' m note very expert in the reliable manage of signal... but in my server I must manage SIGPIPE for the socket and SIGTERM...
I've wrote this but there is something wrong... Can someone explain me with some example the reliable management of signal??
This is what I've wrote in the server
... (2 Replies)
Discussion started by: italian_boy
2 Replies
6. Programming
catch signal SIGPIPE ,print errno but it's value equal to 2(ENOENT)
#define ENOENT 2 /* No such file or directory */
is it should be EPIPE ?
#define EPIPE 32 /* Broken pipe */
Thanks ! (7 Replies)
Discussion started by: aobai
7 Replies
7. UNIX for Advanced & Expert Users
Hi
This is a exercise question from Unix network programming vol2.
Why the SIGPIPE signal is generated only for writers when readers disappear.
why not it is generated for readers when writer disappears.
I guess, if the writer didn't get any response like the reader gets EOF,
it will... (4 Replies)
Discussion started by: kumaran_5555
4 Replies
8. Shell Programming and Scripting
I need a command line that will ls -l a directory and pick (grep?) all files that don't match a desired owner without losing track of the filename at any point. This way I can list later on "here are all the files with an incorrect owner". Thanks in advance (4 Replies)
Discussion started by: stevensw
4 Replies
9. Programming
When a write() writes on a broken pipe, with no readers, it generates a SIGPIPE signal and the process exits.
When the write() returns -1 and errno is EPIPE?
Do I have an handler for SIGPIPE, or can I ignore it? (2 Replies)
Discussion started by: hurricane
2 Replies
10. Shell Programming and Scripting
Hi friends, I want to convert 24 hour timing to 12 hour please help me...
my data file looks like this..
13-Nov-2011 13:27:36 15.32044 72.68502
13-Nov-2011 12:08:31 15.31291 72.69807
16-Nov-2011 01:16:54 15.30844 72.74028
15-Nov-2011 20:09:25 15.35096 ... (13 Replies)
Discussion started by: nex_asp
13 Replies
LEARN ABOUT V7
audit_binfile
audit_binfile(5) Standards, Environments, and Macros audit_binfile(5)
NAME
audit_binfile - generation of Solaris audit logs
SYNOPSIS
/usr/lib/security/audit_binfile.so
DESCRIPTION
The audit_binfile plugin module for Solaris audit, /usr/lib/security/audit_binfile.so, writes binary audit data to files as configured in
audit_control(4); it is the default plugin for the Solaris audit daemon auditd(1M). Its output is described by audit.log(4).
The audit_binfile plugin is loaded by auditd if audit_control contains one or more lines defining audit directories by means of the dir:
specification or if audit_control has a plugin: specification of name=audit_binfile.so.
OBJECT ATTRIBUTES
The p_dir and p_minfree attributes are equivalent to the dir: and minfree: lines described in audit_control. If both the dir: line and the
p_dir attribute are used, the plugin combines all directories into a single list with those specified by means of dir: at the front of the
list. If both the minfree and the p_minfree attributes are given, the p_minfree value is used.
EXAMPLES
The following directives cause audit_binfile.so to be loaded, specify the directories for writing audit logs, and specify the percentage of
required free space per directory.
flags: lo,ad,-fm
naflags: lo,ad
plugin: name=audit_binfile.so;
p_minfree=20;
p_dir=/etc/security/jedgar/eggplant,
/etc/security/jedgar.aux/eggplant,
/etc/security/global/eggplant
ATTRIBUTES
See attributes(5) for a description of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|MT Level |MT-Safe |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
SEE ALSO
auditd(1M), audit_control(4), syslog.conf(4), attributes(5)
SunOS 5.10 20 May 2003 audit_binfile(5)