Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: auditing fails with SIGPIPE signal on 1/4 hour
Operating Systems AIX auditing fails with SIGPIPE signal on 1/4 hour Post 86205 by reclspeak on Wednesday 12th of October 2005 04:35:48 AM
Old 10-12-2005
auditing fails with SIGPIPE signal on 1/4 hour
Hi folks,

Can anyone assist with pointers for the following snag?

We have custom method (IBM-supplied) for running the audit subsystem on 5.1-07

/etc/security/audit objects, events and config have been edited, and the /etc/security/audit/streamcmds contains the following routine;

/usr/sbin/auditstream user,config,mail,cron,SRC | /usr/sbin/auditpr -vhelRtcrpP | /etc/security/audit/tosyslog &

The "tosyslog" scripts is a nawk routine that combines the output from the pipe into a single syslog record;


---------------------------------------------------------
#!/usr/bin/nawk -f
BEGIN {printf("%24s %8s %8s %13s Status Prog PID PPID: tail\n","date",
"login","real","Event") | "/usr/bin/logger -p local1.info -t AUDIT"}

/^[A-Z]/ {
line = 1;
head=sprintf("%s %s %2s %s %s %8s %8s %15s %4s %s %s %s",
$4,$5,$6,$7,$8,$2,$10, $1, $3,$9,$11,$12);
next}

/^[ \t]/ {
if (line==1) {sub("^[ \t]*","");
printf("%s: %s\n", head,$0)|"/usr/bin/logger -plocal5.info -t AU
DIT"
line=0}
next; }
---------------------------------------------------------

The snag I have is that on certain partitions, BUT not all of them (although they are built from identical images)the audit subsystem croakes on the first 1/4 hour (:00, :15, :30, :45) after it is executed.

I think it dies with a SIGPIPE signal from the kernel due to a reader process not being available at the end of a pipe.

Running the audit processes and then attaching truss to any of the piped commands and end script reveals the following;

root@<server>:init.d> ./rc.audit start
Checking for log dir [ OK ]
Starting system audit module [ OK ]
Logging auditing subsystem startup to syslog [ OK ]
root@<server>:init.d> ps -edf | grep audit
root 16900 82366 1 15:02:05 pts/2 0:00 grep audit
root 43924 1 1 15:02:00 pts/2 0:00 /usr/bin/nawk -f /etc/security/audit/tosyslog
root 78326 43924 0 15:02:00 - 0:00 /usr/sbin/auditpr -vhelRtcrpP
root 87420 43924 0 15:02:00 - 0:00 /usr/sbin/auditstream user,config,mail,cron,SRC
root@cbhspr2:init.d> truss -p 43924
kwrite(7, " T u e O c t 1 1 1".., 114) = 114
...
kwrite(7, " T u e O c t 1 1 1".., 117) Err#32 EPIPE
Received signal #13, SIGPIPE [default]
*** process killed ***

I can't figure-out why the SIGPIPE should be seen on the regular 1/4 hour, and why it should be seen only on certain (otherwise identical) partitions, and not others. I've compared the key files on the odd good servers with those that bomb, but there are no changes.

Any clues or pointers will be gratefully received (also posted on Tek-Tips but no responses).

Regards


recl
 

10 More Discussions You Might Find Interesting

1. HP-UX

Hpux C2 Auditing

I am trying to find out if there are any recommendations regarding what events/system calls should be audited as a starting point. I am new to the auditing side of things and am not really to sure what best to log - any ideas or know of any resources which make recommendations in this respect ??? (1 Reply)
Discussion started by: gmh
1 Replies

2. UNIX for Dummies Questions & Answers

an hour less in 24 hour system

My program: __________________________________ #!/bin/ksh DAY=`date +%y%m%d` H=`date +%H` M=`date +%M` day=`date +%m/%d/%y` let h=$H-1 echo DAY $DAY echo H $H echo M $M echo day $day echo h $h _____________________________________ My result: (3 Replies)
Discussion started by: bobo
3 Replies

3. UNIX for Advanced & Expert Users

Auditing

:)I need a little help. I have sent all of our logs to our log server, but I can't send the audit logs that are in /var/log/audit.log. Can someone give me some type of idea to transfer these logs. Thank You (2 Replies)
Discussion started by: aojmoj
2 Replies

4. Solaris

"lpr.error] Warning: Received SIGPIPE" continuously appearing in logs

On a Solaris 8 print server we're continuously (every 2 minutes or so) getting these messages in the logs: printd: Warning: Received SIGPIPE; continuing I've applied this patch and restarted the printd daemon, but it doesn't help: #109320-22: SunOS 5.8: lp patch Does anyone have any idea what... (4 Replies)
Discussion started by: aussieos
4 Replies

5. Programming

Reliable management of signal SIGPIPE and SIGTERM

I' m note very expert in the reliable manage of signal... but in my server I must manage SIGPIPE for the socket and SIGTERM... I've wrote this but there is something wrong... Can someone explain me with some example the reliable management of signal?? This is what I've wrote in the server ... (2 Replies)
Discussion started by: italian_boy
2 Replies

6. Programming

Catch signal SIGPIPE print errno but it's value equal to 2

catch signal SIGPIPE ,print errno but it's value equal to 2(ENOENT) #define ENOENT 2 /* No such file or directory */ is it should be EPIPE ? #define EPIPE 32 /* Broken pipe */ Thanks ! (7 Replies)
Discussion started by: aobai
7 Replies

7. UNIX for Advanced & Expert Users

Why not SIGPIPE for readers of pipe/FIFO?

Hi This is a exercise question from Unix network programming vol2. Why the SIGPIPE signal is generated only for writers when readers disappear. why not it is generated for readers when writer disappears. I guess, if the writer didn't get any response like the reader gets EOF, it will... (4 Replies)
Discussion started by: kumaran_5555
4 Replies

8. Shell Programming and Scripting

Auditing script

I need a command line that will ls -l a directory and pick (grep?) all files that don't match a desired owner without losing track of the filename at any point. This way I can list later on "here are all the files with an incorrect owner". Thanks in advance (4 Replies)
Discussion started by: stevensw
4 Replies

9. Programming

SIGPIPE and EPIPE

When a write() writes on a broken pipe, with no readers, it generates a SIGPIPE signal and the process exits. When the write() returns -1 and errno is EPIPE? Do I have an handler for SIGPIPE, or can I ignore it? (2 Replies)
Discussion started by: hurricane
2 Replies

10. Shell Programming and Scripting

How to convert 24 hour time to 12 hour timing?

Hi friends, I want to convert 24 hour timing to 12 hour please help me... my data file looks like this.. 13-Nov-2011 13:27:36 15.32044 72.68502 13-Nov-2011 12:08:31 15.31291 72.69807 16-Nov-2011 01:16:54 15.30844 72.74028 15-Nov-2011 20:09:25 15.35096 ... (13 Replies)
Discussion started by: nex_asp
13 Replies

LEARN ABOUT V7

audit_binfile

audit_binfile(5)					Standards, Environments, and Macros					  audit_binfile(5)

NAME

       audit_binfile - generation of Solaris audit logs

SYNOPSIS

       /usr/lib/security/audit_binfile.so

DESCRIPTION

       The  audit_binfile  plugin module for Solaris audit, /usr/lib/security/audit_binfile.so, writes binary audit data to files as configured in
       audit_control(4); it is the default plugin for the Solaris audit daemon auditd(1M). Its output is described by audit.log(4).

       The audit_binfile plugin is loaded by auditd if audit_control contains one or more lines defining audit directories by means  of  the  dir:
       specification or if audit_control has a plugin: specification of name=audit_binfile.so.

OBJECT ATTRIBUTES

       The  p_dir and p_minfree attributes are equivalent to the dir: and minfree: lines described in audit_control. If both the dir: line and the
       p_dir attribute are used, the plugin combines all directories into a single list with those specified by means of dir: at the front of  the
       list. If both the minfree and the p_minfree attributes are given, the p_minfree value is used.

EXAMPLES

       The following directives cause audit_binfile.so to be loaded, specify the directories for writing audit logs, and specify the percentage of
       required free space per directory.

       flags: lo,ad,-fm
       naflags: lo,ad
       plugin: name=audit_binfile.so;
       p_minfree=20;
       p_dir=/etc/security/jedgar/eggplant,
       /etc/security/jedgar.aux/eggplant,
       /etc/security/global/eggplant

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |MT Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       auditd(1M), audit_control(4), syslog.conf(4), attributes(5)

SunOS 5.10							    20 May 2003 						  audit_binfile(5)
All times are GMT -4. The time now is 03:27 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy