satyajitg2's profile - activity

overview network karma followed questions activity

2016-07-21 01:55:17 -0600	asked a question	Restarting auditd from its dispatcher Hi, I would like to issue a restart from inside the dispatcher program that runs within auditd subsystem. So the entry to file below will have something like. /etc/audit/auditd.conf `.. dispatcher = /usr/sbin/MyOwnDispatcher ...` I have tried implementing a fork exec in MyOwnDispatcher and it runs a child process. The child is able to issue "service auditd restart" but it gets killed before the restart it done, including auditd, MyOwnDispatcher exits gracefully after the fork. This is my child process. pid_t proc_find(const char* name) { DIR* dir; struct dirent* ent; char* endptr; char buf[512]; if (!(dir = opendir("/proc"))) { perror("can't open /proc"); return -1; } while((ent = readdir(dir)) != NULL) { /* if endptr is not a null character, the directory is not * entirely numeric, so ignore it / long lpid = strtol(ent->d_name, &endptr, 10); if (endptr != '\0') { continue; } /* try to open the cmdline file / snprintf(buf, sizeof(buf), "/proc/%ld/cmdline", lpid); FILE fp = fopen(buf, "r"); if (fp) { if (fgets(buf, sizeof(buf), fp) != NULL) { /* check the first token in the file, the program name / char first = strtok(buf, " "); if (!strcmp(first, name)) { fclose(fp); closedir(dir); return (pid_t)lpid; } } fclose(fp); } } closedir(dir); return -1; } int main( int argc, char *argv[] ) { setsid(); pid_t pid = getpid(); setpgid(pid,pid); ignoreSignal(); //Ignore SIGTERM, SIGHUP, SIGINT system("service auditd restart"); sleep(5); while(1) { if ((proc_find("/usr/sbin/MyOwnDispatcher") == -1) && (proc_find("/sbin/auditd") == -1)) { system("service auditd restart"); sleep(5); } else { cout << "Break" << endl; break; } } printf("Exit now"); return 0; } Can someone suggest the right approach? Appreciate your response. Thank you.
2016-07-19 20:57:11 -0600	commented question	auditd fails to restart and also takes time to stop Thank you florian and bitwiseoperator.
2016-07-19 20:57:04 -0600	commented question	auditd fails to restart and also takes time to stop Yes you are correct. I am restarting auditd from within my own dispatcher. Steps - 1. forking a process in my dispatcher (this one will exit after fork gracefully) 2. I issue "service auditd restart" from the forked child process. The restart works and my dispatcher starts again but it takes a while for auditd to die in the first place. Restarting has issues in RHEL 7.2, if you do a fresh "service auditd restart" from console if auditd is already running, then the dispatcher starts before auditd dies and restarts. This does not happen in RHEL 7. I noticed a change in -9 second delay in script
2016-07-18 20:50:14 -0600	asked a question	auditd fails to restart and also takes time to stop auditd service does not restart as expected and takes a long time to stop if it does so. I can see the systemd journal logs that at end systemd has to issue a kill signal to stop it forcefully. I need auditd to restart as soon as possible as I issue a restart from my program. Also in RHEL7.2 systemd doesn't wait for auditd to stop before it moves ahead with next steps in auditd restart process. Can someone explain the stopping requirements for auditd and better way to do so if I want to. Thank you. Sharing systemd Logs during the restart process: Jul 19 15:54:38 VMRHEL72X64 auditd[25498]: The audit daemon is exiting. Jul 19 15:54:38 VMRHEL72X64 systemd[1]: Child 25498 belongs to auditd.service Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service: main process exited, code=exited, status=0/SUCCESS Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service changed running -> stop-sigterm Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Trying to enqueue job auditd.service/start/replace Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Installed new job auditd.service/start as 735 Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Enqueued job auditd.service/start as 735 Jul 19 15:54:39 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service stop-sigterm timed out. Killing. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigterm -> stop-sigkill Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 25754 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26137 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26145 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service: cgroup is empty Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigkill -> failed Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Unit auditd.service entered failed state. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service failed. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/auditd -n Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/auditd as 29427 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/augenrules --load Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/augenrules as 29428 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed failed -> start-post Jul 19 15:56:08 VMRHEL72X64 systemd[29427]: Executing: /sbin/auditd -n Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Starting Security Auditing Service... Jul 19 15:56:08 VMRHEL72X64 systemd[29428]: Executing: /sbin/augenrules --load Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Warning - freq is non-zero and incremental flushing not selected. Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Started dispatcher: /usr/sbin/MYDISPATCHER pid: 29430 Jul 19 15:56 ... (more)

satyajitg2's profile - activity

/etc/audit/auditd.conf