We have a platform running
Code: Select all
[bern@smtpout01 ~]$ uname -rmi
3.10.0-327.10.1.el7.x86_64 x86_64 x86_64
[bern@smtpout01 ~]$ cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[bern@smtpout01 ~]$ getenforce
Enforcing
Code: Select all
[root@smtpout01 ~]# grep '^[^#]*sbin' bin/Nagios-audit-State
KERNELPARAMS=`/sbin/auditctl -s | sed -e 's/ /=/' -e 's/ .*//' | tr '\n' ' '`
AUDITFILES="`LANG=C LC_TIME=C TZ=UTC /sbin/aureport --input-logs -t | grep ' - '`"
EVENTS=`/sbin/aureport --event --summary --interpret --input /var/log/audit/audit.log.1 | \
The problem is that the running auditd gets disconnected from its input, the kernel, as per the following log lines:
Code: Select all
Mar 23 01:31:55 smtpout01 kernel: audit: *NO* daemon at audit_pid=3240
Mar 23 01:31:55 smtpout01 kernel: audit_log_lost: 186 callbacks suppressed
Mar 23 01:31:55 smtpout01 kernel: audit: audit_lost=962140 audit_rate_limit=0 audit_backlog_limit=320
Mar 23 01:31:55 smtpout01 kernel: audit: auditd disappeared
Code: Select all
[bern@smtpout01 ~]$ ps auwwwx | grep auditd
root 137 0.0 0.0 0 0 ? S Mar04 0:53 [kauditd]
bern 899 0.0 0.0 112648 960 pts/0 R+ 12:18 0:00 grep --color=auto auditd
root 3240 0.0 0.0 116744 1572 ? S<sl Mar22 0:05 /sbin/auditd -n
Google pointed me at several sources from a couple years ago suggesting that the "disappeared" detection is in fact a bit fickle, but so far I could not find instructions how to verify that my systems do not have some other cause at work, or how often to expect this event to happen at random.