10-12-2005
1,
0
Join Date: Oct 2005
Last Activity: 12 October 2005, 4:46 AM EDT
Posts: 1
Thanks Given: 0
Thanked 0 Times in 0 Posts
auditing fails with SIGPIPE signal on 1/4 hour
Hi folks,
Can anyone assist with pointers for the following snag?
We have custom method (IBM-supplied) for running the audit subsystem on 5.1-07
/etc/security/audit objects, events and config have been edited, and the /etc/security/audit/streamcmds contains the following routine;
/usr/sbin/auditstream user,config,mail,cron,SRC | /usr/sbin/auditpr -vhelRtcrpP | /etc/security/audit/tosyslog &
The "tosyslog" scripts is a nawk routine that combines the output from the pipe into a single syslog record;
---------------------------------------------------------
#!/usr/bin/nawk -f
BEGIN {printf("%24s %8s %8s %13s Status Prog PID PPID: tail\n","date",
"login","real","Event") | "/usr/bin/logger -p local1.info -t AUDIT"}
/^[A-Z]/ {
line = 1;
head=sprintf("%s %s %2s %s %s %8s %8s %15s %4s %s %s %s",
$4,$5,$6,$7,$8,$2,$10, $1, $3,$9,$11,$12);
next}
/^[ \t]/ {
if (line==1) {sub("^[ \t]*","");
printf("%s: %s\n", head,$0)|"/usr/bin/logger -plocal5.info -t AU
DIT"
line=0}
next; }
---------------------------------------------------------
The snag I have is that on certain partitions, BUT not all of them (although they are built from identical images)the audit subsystem croakes on the first 1/4 hour (:00, :15, :30, :45) after it is executed.
I think it dies with a SIGPIPE signal from the kernel due to a reader process not being available at the end of a pipe.
Running the audit processes and then attaching truss to any of the piped commands and end script reveals the following;
root@<server>:init.d> ./rc.audit start
Checking for log dir [ OK ]
Starting system audit module [ OK ]
Logging auditing subsystem startup to syslog [ OK ]
root@<server>:init.d> ps -edf | grep audit
root 16900 82366 1 15:02:05 pts/2 0:00 grep audit
root 43924 1 1 15:02:00 pts/2 0:00 /usr/bin/nawk -f /etc/security/audit/tosyslog
root 78326 43924 0 15:02:00 - 0:00 /usr/sbin/auditpr -vhelRtcrpP
root 87420 43924 0 15:02:00 - 0:00 /usr/sbin/auditstream user,config,mail,cron,SRC
root@cbhspr2:init.d> truss -p 43924
kwrite(7, " T u e O c t 1 1 1".., 114) = 114
...
kwrite(7, " T u e O c t 1 1 1".., 117) Err#32 EPIPE
Received signal #13, SIGPIPE [default]
*** process killed ***
I can't figure-out why the SIGPIPE should be seen on the regular 1/4 hour, and why it should be seen only on certain (otherwise identical) partitions, and not others. I've compared the key files on the odd good servers with those that bomb, but there are no changes.
Any clues or pointers will be gratefully received (also posted on Tek-Tips but no responses).
Regards
recl