重新启动 auditd 导致 audispd reconfigure 无限循环

tag-icon tag-icon auditd
重新启动 auditd 导致 audispd reconfigure 无限循环

作为日志文件轮换的一部分,我们每晚 11:45 都会重启 Debian jessie 上的部分服务。我们重启的服务中包括该auditd服务。我们有时会看到它audispd在重启时进入无限重新配置循环:

2018-03-29T23:45:01.618252-07:00 ldap-uat0 auditd[4739]: config change requested by pid=4066 auid=0 subj=?
2018-03-29T23:45:01.618454-07:00 ldap-uat0 auditd[4739]: audit(1522392301.618:9498) config changed, auid=0 pid=4066 subj=? res=success
2018-03-29T23:45:01.618782-07:00 ldap-uat0 audispd: priority_boost_parser called with: 4
2018-03-29T23:45:01.618963-07:00 ldap-uat0 audispd: max_restarts_parser called with: 10
2018-03-29T23:45:01.619129-07:00 ldap-uat0 audispd: Starting reconfigure
2018-03-29T23:45:03.512051-07:00 ldap-uat0 audispd: plugin /usr/sbin/audisp-simplify terminated unexpectedly
2018-03-29T23:45:03.512250-07:00 ldap-uat0 audispd: plugin /usr/sbin/audisp-simplify has exceeded max_restarts
2018-03-29T23:45:03.512833-07:00 ldap-uat0 audispd: plugin /usr/sbin/audisp-simplify was restarted
2018-03-29T23:45:03.617736-07:00 ldap-uat0 auditd[4739]: config change requested by pid=4066 auid=0 subj=?
2018-03-29T23:45:03.617987-07:00 ldap-uat0 auditd[4739]: audit(1522392303.617:276) config changed, auid=0 pid=4066 subj=? res=success
2018-03-29T23:45:05.621950-07:00 ldap-uat0 audispd: priority_boost_parser called with: 4
2018-03-29T23:45:05.622391-07:00 ldap-uat0 audispd: max_restarts_parser called with: 10
2018-03-29T23:45:05.622774-07:00 ldap-uat0 audispd: Starting reconfigure
2018-03-29T23:45:05.623301-07:00 ldap-uat0 audispd: priority_boost_parser called with: 4
2018-03-29T23:45:05.623593-07:00 ldap-uat0 audispd: max_restarts_parser called with: 10
2018-03-29T23:45:05.623892-07:00 ldap-uat0 audispd: Starting reconfigure

有三条线

2018-03-29T23:45:05.622774-07:00 ldap-uat0 audispd: Starting reconfigure
2018-03-29T23:45:05.623301-07:00 ldap-uat0 audispd: priority_boost_parser called with: 4
2018-03-29T23:45:05.623593-07:00 ldap-uat0 audispd: max_restarts_parser called with: 10

一直重复,直到磁盘填满。

配置audisp如下/etc/audisp/audispd.conf

q_depth = 32767
overflow_action = IGNORE
priority_boost = 4
max_restarts = 10
name_format = HOSTNAME

答案1

我们通过重新启动 auditd 服务命令解决了该问题:systemctl 重启 auditd

相关内容