Hi folks,
Can anyone assist with pointers for the following snag?
We have custom method (IBM-supplied) for running the audit subsystem on 5.2.
/etc/security/audit objects, events and config have been edited, and the /etc/security/audit/streamcmds contains the following routine;
/usr/sbin/auditstream user,config,mail,cron,SRC | /usr/sbin/auditpr -vhelRtcrpP | /etc/security/audit/tosyslog &
The "tosyslog" scripts is a nawk routine that combines the output from the pipe into a single syslog record;
---------------------------------------------------------
#!/usr/bin/nawk -f
BEGIN {printf("%24s %8s %8s %13s Status Prog PID PPID: tail\n","date",
"login","real","Event") | "/usr/bin/logger -p local1.info -t AUDIT"}
/^[A-Z]/ {
line = 1;
head=sprintf("%s %s %2s %s %s %8s %8s %15s %4s %s %s %s",
$4,$5,$6,$7,$8,$2,$10, $1, $3,$9,$11,$12);
next}
/^[ \t]/ {
if (line==1) {sub("^[ \t]*","");
printf("%s: %s\n", head,$0)|"/usr/bin/logger -plocal5.info -t AU
DIT"
line=0}
next; }
---------------------------------------------------------
The snag I have is that on certain partitions, BUT not all of them (although they are built from identical images)the audit subsystem croakes on the first 1/4 hour
00, :15, :30, :45) after it is executed.
I think it dies with a SIGPIPE signal from the kernel due to a reader process not being available at the end of a pipe.
Running the audit processes and then attaching truss to any of the piped commands and end script reveals the following;
root@<server>:init.d> ./rc.audit start
Checking for log dir [ OK ]
Starting system audit module [ OK ]
Logging auditing subsystem startup to syslog [ OK ]
root@<server>:init.d> ps -edf | grep audit
root 16900 82366 1 15:02:05 pts/2 0:00 grep audit
root 43924 1 1 15:02:00 pts/2 0:00 /usr/bin/nawk -f /etc/security/audit/tosyslog
root 78326 43924 0 15:02:00 - 0:00 /usr/sbin/auditpr -vhelRtcrpP
root 87420 43924 0 15:02:00 - 0:00 /usr/sbin/auditstream user,config,mail,cron,SRC
root@cbhspr2:init.d> truss -p 43924
kwrite(7, " T u e O c t 1 1 1".., 114) = 114
...
kwrite(7, " T u e O c t 1 1 1".., 117) Err#32 EPIPE
Received signal #13, SIGPIPE [default]
*** process killed ***
I can't figure-out why the SIGPIPE should be seen on the regular 1/4 hour, and why it should be seen only on certain (otherwise identical) partitions, and not others.
Any clues or pointers will be gratefully received.
Regards
recl
Can anyone assist with pointers for the following snag?
We have custom method (IBM-supplied) for running the audit subsystem on 5.2.
/etc/security/audit objects, events and config have been edited, and the /etc/security/audit/streamcmds contains the following routine;
/usr/sbin/auditstream user,config,mail,cron,SRC | /usr/sbin/auditpr -vhelRtcrpP | /etc/security/audit/tosyslog &
The "tosyslog" scripts is a nawk routine that combines the output from the pipe into a single syslog record;
---------------------------------------------------------
#!/usr/bin/nawk -f
BEGIN {printf("%24s %8s %8s %13s Status Prog PID PPID: tail\n","date",
"login","real","Event") | "/usr/bin/logger -p local1.info -t AUDIT"}
/^[A-Z]/ {
line = 1;
head=sprintf("%s %s %2s %s %s %8s %8s %15s %4s %s %s %s",
$4,$5,$6,$7,$8,$2,$10, $1, $3,$9,$11,$12);
next}
/^[ \t]/ {
if (line==1) {sub("^[ \t]*","");
printf("%s: %s\n", head,$0)|"/usr/bin/logger -plocal5.info -t AU
DIT"
line=0}
next; }
---------------------------------------------------------
The snag I have is that on certain partitions, BUT not all of them (although they are built from identical images)the audit subsystem croakes on the first 1/4 hour
00, :15, :30, :45) after it is executed. I think it dies with a SIGPIPE signal from the kernel due to a reader process not being available at the end of a pipe.
Running the audit processes and then attaching truss to any of the piped commands and end script reveals the following;
root@<server>:init.d> ./rc.audit start
Checking for log dir [ OK ]
Starting system audit module [ OK ]
Logging auditing subsystem startup to syslog [ OK ]
root@<server>:init.d> ps -edf | grep audit
root 16900 82366 1 15:02:05 pts/2 0:00 grep audit
root 43924 1 1 15:02:00 pts/2 0:00 /usr/bin/nawk -f /etc/security/audit/tosyslog
root 78326 43924 0 15:02:00 - 0:00 /usr/sbin/auditpr -vhelRtcrpP
root 87420 43924 0 15:02:00 - 0:00 /usr/sbin/auditstream user,config,mail,cron,SRC
root@cbhspr2:init.d> truss -p 43924
kwrite(7, " T u e O c t 1 1 1".., 114) = 114
...
kwrite(7, " T u e O c t 1 1 1".., 117) Err#32 EPIPE
Received signal #13, SIGPIPE [default]
*** process killed ***
I can't figure-out why the SIGPIPE should be seen on the regular 1/4 hour, and why it should be seen only on certain (otherwise identical) partitions, and not others.
Any clues or pointers will be gratefully received.
Regards
recl