[Aide] Aide 0.14 - prelink problem?
John Horne
john.horne at plymouth.ac.uk
Wed Aug 4 13:46:47 EEST 2010
Hello,
I came into work this morning to find several of our servers had
multiple instances of aide running (we generally run aide via cron once
per hour and report results back via our monitoring system).
On one server (CentOS 5.5) 'ps' shows:
======================================================
root 1698 0.0 0.7 3123280 7276 ? S Aug03 0:10 /usr/sbin/aide --check
root 2366 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
root 6565 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
root 7469 0.0 0.7 3106892 7284 ? S Aug03 0:10 /usr/sbin/aide --check
root 11359 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
root 11462 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
root 11968 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
root 16034 0.0 0.7 3106892 7284 ? S Aug03 0:10 /usr/sbin/aide --check
root 16372 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
root 20482 0.0 0.6 3090372 7136 ? S Aug03 0:09 /usr/sbin/aide --check
root 21484 0.0 0.6 3090372 7136 ? S Aug03 0:09 /usr/sbin/aide --check
root 25337 0.0 0.6 3090372 7132 ? S Aug03 0:09 /usr/sbin/aide --check
root 25816 0.0 0.6 3090372 7136 ? S 00:05 0:09 /usr/sbin/aide --check
root 25877 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
root 25885 0.0 0.7 3106872 7284 ? S Aug03 0:10 /usr/sbin/aide --check
root 30098 0.0 0.6 3090372 7132 ? S Aug03 0:10 /usr/sbin/aide --check
root 30340 0.0 0.7 3106892 7280 ? S Aug03 0:10 /usr/sbin/aide --check
======================================================
Looking at another system (RHEL 5.5), and running gdb showed:
======================================================
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.1)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Attaching to process 5704
Reading symbols from /usr/sbin/aide...(no debugging symbols
found)...done.
warning: .dynamic section for "/lib/libaudit.so.0" is not at the
expected address
warning: difference appears to be caused by prelink, adjusting
expectations
warning: .dynamic section for "/lib/libattr.so.1" is not at the expected
address
warning: difference appears to be caused by prelink, adjusting
expectations
warning: .dynamic section for "/usr/lib/libelf.so.1" is not at the
expected address
warning: difference appears to be caused by prelink, adjusting
expectations
warning: .dynamic section for "/usr/lib/libz.so.1" is not at the
expected address
warning: difference appears to be caused by prelink, adjusting
expectations
warning: .dynamic section for "/lib/libdl.so.2" is not at the expected
address
warning: difference appears to be caused by prelink, adjusting
expectations
warning: .dynamic section for "/lib/libsepol.so.1" is not at the
expected address
warning: difference appears to be caused by prelink, adjusting
expectations
Reading symbols from /lib/libm.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /usr/lib/libmhash.so.2...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libmhash.so.2
Reading symbols from /lib/libacl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libacl.so.1
Reading symbols from /lib/libselinux.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libselinux.so.1
Reading symbols from /lib/libaudit.so.0...(no debugging symbols
found)...done.
Loaded symbols for /lib/libaudit.so.0
Reading symbols from /lib/libattr.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libattr.so.1
Reading symbols from /usr/lib/libelf.so.1...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libelf.so.1
Reading symbols from /lib/libcrypt.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libdl.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libsepol.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/libsepol.so.1
0x00612402 in __kernel_vsyscall ()
(gdb) bt
#0 0x00612402 in __kernel_vsyscall ()
#1 0x002e85b3 in __waitpid_nocancel () from /lib/libc.so.6
#2 0x00946704 in ?? ()
#3 0x00947dd6 in ?? ()
#4 0x00941f57 in ?? ()
#5 0x009418ac in ?? ()
#6 0x0094938d in ?? ()
#7 0x009357dd in main ()
(gdb) q
A debugging session is active.
Inferior 1 [process 5704] will be detached.
Quit anyway? (y or n) Detaching from program: /usr/sbin/aide, process
5704
======================================================
If I run an 'strace' on one of the processes it shows that it is waiting
at 'waitpid'.
Some aide info is:
======================================================
Aide 0.14
Compiled with the following options:
WITH_MMAP
WITH_POSIX_ACL
WITH_SELINUX
WITH_PRELINK
WITH_XATTR
WITH_LSTAT64
WITH_READDIR64
WITH_ZLIB
WITH_MHASH
WITH_AUDIT
CONFIG_FILE = "/etc/aide.conf"
======================================================
Anyone know a way around this problem (having multiple instances
waiting)? Is it simply caused by the system 'prelink' cron job running
perhaps at the same time as aide and causing a problem?
Thanks,
John.
--
John Horne Tel: +44 (0)1752 587287
University of Plymouth, UK Fax: +44 (0)1752 587001
More information about the Aide
mailing list