On 12 October 2015, Atanas Vladimirov <vl...@bsdbg.net> wrote:
> On 11.10.2015 21:18, Theo de Raadt wrote:
> >> I rebuild who(1) with DEBUG and add 'abort' in all pledge calls.
> >> Also I changed kern.nosuidcoredump=3 and made /var/crash/who but I
> >> can't
> >> find who.core.
> >> Meanwhile I got syscall 54 every 5 min. Is it possible another
> >> process/daemon to generate this errors?
> >> How can I find it?
> >>
> >> ~$ tail /var/log/messages
> >> Oct 11 19:54:37 ns /bsd: who(5929): syscall 54
> >> Oct 11 19:59:37 ns /bsd: who(6769): syscall 54
> >> Oct 11 20:04:37 ns /bsd: who(13907): syscall 54
> >> Oct 11 20:09:37 ns /bsd: who(27822): syscall 54
> >> Oct 11 20:14:37 ns /bsd: who(25574): syscall 54
> >> Oct 11 20:19:37 ns /bsd: who(8480): syscall 54
> >> Oct 11 20:24:37 ns /bsd: who(28849): syscall 54
> >> Oct 11 20:29:37 ns /bsd: who(11423): syscall 54
> >> Oct 11 20:34:37 ns /bsd: who(20946): syscall 54
> >
> > I have no explanation for this. You'll have to keep digging to find
> > it.
> I think that I found it - Nagios. Now the question is how to debug it
> further?
I get something similar without nagios:
$ grep syscall /var/log/messages
Oct 10 07:50:26 router /bsd: tty(2446): syscall 54
Oct 10 07:50:33 router /bsd: tty(29826): syscall 54
Oct 10 07:54:15 router /bsd: tty(10733): syscall 54
Oct 10 07:54:15 router /bsd: tty(19344): syscall 54
Oct 10 07:58:59 router /bsd: tty(5574): syscall 54
Oct 10 07:59:05 router /bsd: tty(14634): syscall 54
Oct 10 08:02:47 router /bsd: tty(12313): syscall 54
Oct 10 08:02:47 router /bsd: tty(5281): syscall 54
Oct 10 08:06:23 router /bsd: tty(9186): syscall 54
Oct 10 08:06:23 router /bsd: tty(9710): syscall 54
Oct 11 01:30:01 router /bsd: tty(6080): syscall 54
Oct 12 01:30:01 router /bsd: tty(15518): syscall 54
$ uname -a
OpenBSD router.lcd047.linkpc.net 5.8 GENERIC.MP#1449 amd64
I'd tentatively correlate most of them with login(1) run in a serial
console. But the last two entries seem to be triggered by /etc/daily.
Regards,
Liviu Daia
