Hello, I came into work this morning to find several of our servers had multiple instances of aide running (we generally run aide via cron once per hour and report results back via our monitoring system).
On one server (CentOS 5.5) 'ps' shows: ====================================================== root 1698 0.0 0.7 3123280 7276 ? S Aug03 0:10 /usr/sbin/aide --check root 2366 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check root 6565 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check root 7469 0.0 0.7 3106892 7284 ? S Aug03 0:10 /usr/sbin/aide --check root 11359 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check root 11462 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check root 11968 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check root 16034 0.0 0.7 3106892 7284 ? S Aug03 0:10 /usr/sbin/aide --check root 16372 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check root 20482 0.0 0.6 3090372 7136 ? S Aug03 0:09 /usr/sbin/aide --check root 21484 0.0 0.6 3090372 7136 ? S Aug03 0:09 /usr/sbin/aide --check root 25337 0.0 0.6 3090372 7132 ? S Aug03 0:09 /usr/sbin/aide --check root 25816 0.0 0.6 3090372 7136 ? S 00:05 0:09 /usr/sbin/aide --check root 25877 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check root 25885 0.0 0.7 3106872 7284 ? S Aug03 0:10 /usr/sbin/aide --check root 30098 0.0 0.6 3090372 7132 ? S Aug03 0:10 /usr/sbin/aide --check root 30340 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check ====================================================== Looking at another system (RHEL 5.5), and running gdb showed: ====================================================== GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.1) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Attaching to process 5704 Reading symbols from /usr/sbin/aide...(no debugging symbols found)...done. warning: .dynamic section for "/lib/libaudit.so.0" is not at the expected address warning: difference appears to be caused by prelink, adjusting expectations warning: .dynamic section for "/lib/libattr.so.1" is not at the expected address warning: difference appears to be caused by prelink, adjusting expectations warning: .dynamic section for "/usr/lib/libelf.so.1" is not at the expected address warning: difference appears to be caused by prelink, adjusting expectations warning: .dynamic section for "/usr/lib/libz.so.1" is not at the expected address warning: difference appears to be caused by prelink, adjusting expectations warning: .dynamic section for "/lib/libdl.so.2" is not at the expected address warning: difference appears to be caused by prelink, adjusting expectations warning: .dynamic section for "/lib/libsepol.so.1" is not at the expected address warning: difference appears to be caused by prelink, adjusting expectations Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /usr/lib/libmhash.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libmhash.so.2 Reading symbols from /lib/libacl.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libacl.so.1 Reading symbols from /lib/libselinux.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libselinux.so.1 Reading symbols from /lib/libaudit.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/libaudit.so.0 Reading symbols from /lib/libattr.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libattr.so.1 Reading symbols from /usr/lib/libelf.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libelf.so.1 Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libsepol.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libsepol.so.1 0x00612402 in __kernel_vsyscall () (gdb) bt #0 0x00612402 in __kernel_vsyscall () #1 0x002e85b3 in __waitpid_nocancel () from /lib/libc.so.6 #2 0x00946704 in ?? () #3 0x00947dd6 in ?? () #4 0x00941f57 in ?? () #5 0x009418ac in ?? () #6 0x0094938d in ?? () #7 0x009357dd in main () (gdb) q A debugging session is active. Inferior 1 [process 5704] will be detached. Quit anyway? (y or n) Detaching from program: /usr/sbin/aide, process 5704 ====================================================== If I run an 'strace' on one of the processes it shows that it is waiting at 'waitpid'. Some aide info is: ====================================================== Aide 0.14 Compiled with the following options: WITH_MMAP WITH_POSIX_ACL WITH_SELINUX WITH_PRELINK WITH_XATTR WITH_LSTAT64 WITH_READDIR64 WITH_ZLIB WITH_MHASH WITH_AUDIT CONFIG_FILE = "/etc/aide.conf" ====================================================== Anyone know a way around this problem (having multiple instances waiting)? Is it simply caused by the system 'prelink' cron job running perhaps at the same time as aide and causing a problem? Thanks, John. -- John Horne Tel: +44 (0)1752 587287 University of Plymouth, UK Fax: +44 (0)1752 587001 _______________________________________________ Aide mailing list [email protected] https://mailman.cs.tut.fi/mailman/listinfo/aide
