PDA

View Full Version : aide process is hanging



silviana
21-Feb-2013, 08:28
I am not that familiar with aide, and i found a diffficulty to troubleshoot it.

I have a problem regarding the aide process /usr/bin/aide is hanging in Linux, this process sent the accumulation mail to root hence it resulted to full memory.
A low memory alarm appears to have been caused by an accumulation of /usr/bin/aide processes which have been unable to exit.
The process is launched by an unknown method every night and takes some time to run, usually resulting in a very large output, which is then mailed to root.
The mail is too large and is dropped, and aide does not exit.
my temporary remedy is by killing the aide process using command kill -9 PID
But when we kill the process, aide still running with new PID, we want to avoid killing the process everytime we log in.
below is the log when aide is running.


MDRmspTS03:~ # ps -ef | grep -i aide
root 10631 1 0 02:00 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &
root 10632 10631 5 02:00 ? 00:05:05 /usr/bin/aide --check -V
root 10634 10631 0 02:00 ? 00:00:00 /bin/mail -s Aide daily run root
root 13828 1 0 Feb13 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &
root 13830 13828 0 Feb13 ? 00:04:31 /usr/bin/aide --check -V
root 13831 13828 0 Feb13 ? 00:00:00 /bin/mail -s Aide daily run root
root 26896 26849 0 03:28 pts/4 00:00:00 grep -i aide
root 28730 1 0 Feb14 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &
root 28732 28730 0 Feb14 ? 00:05:08 /usr/bin/aide --check -V
root 28734 28730 0 Feb14 ? 00:00:00 /bin/mail -s Aide daily run root


Below is the crontab for aide process, but we did not save it in crontab, so it should not be sending the mail to root.


MDRmspTS03:/etc/cron.d # more aide
RUN_FROM_CRON=yes
0 2 * * * root test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &


Below is the linux version.


MDRmspTS03:~ # uname -a
Linux MDRmspTS03 2.6.27.19-5-default #1 SMP 2009-02-28 04:40:21 +0100 x86_64 x86_64 x86_64 GNU/Linux
MDRmspTS03:~ # cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 0


and below is the aide version


MDRmspTS01:/etc # rpm -qi aide
Name : aide Relocations: (not relocatable)
Version : 0.13.1 Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
Release : 40.14 Build Date: Mon 23 Feb 2009 18:57:42 UTC
Install Date: Mon 20 Jun 2011 18:56:47 UTC Build Host: Super-Pinguine
Group : Productivity/Security Source RPM: aide-0.13.1-40.14.src.rpm
Size : 274230 License: GPL v2 or later
Signature : RSA/8, Mon 23 Feb 2009 18:57:48 UTC, Key ID e3a5c360307e3d54
Packager : http://bugs.opensuse.org
URL : http://sourceforge.net/projects/aide/
Summary : Advanced Intrusion Detection Environment
Description :
AIDE is an intrusion detection system that checks file integrity.


Below is the configuration of aide


MDRmspTS03:/etc # more aide.conf
#
# Based on the Example AIDE Config by Matthias G. Eckermann <mge@suse.de>
#

#
# Configuration parameters
#
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
verbose=1
report_url=stdout
warn_dead_symlinks=yes

#
# Custom rules
#
Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
Logs = p+i+n+u+g+S
Devices = p+n+u+g+s+b+md5+sha1
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

# Added to ignore check script changes + more permissive /var/log
ConfFiles2 = p+n+u+g+s+b+md5+sha1
Databases2 = p+n+u+g+ANF
Logs2 = p+n+u+g+ANF+ARF
Logs3 = p+n+ANF+ARF

#
# Directories and files
#
# Kernel, system map, etc.
/boot Binlib

# watch config files, but exclude, what changes at boot time, ...
!/etc/mtab
!/etc/lvm
/etc/adjtime Databases

# Special treatment for some files altered by check.sh
/etc/passwd$ ConfFiles2
/etc/group$ ConfFiles2
/etc/security$ StaticDir
/etc/security/opasswd$ Databases
/etc/security/opasswd\.old$ Databases2
/etc/shadow$ ConfFiles2
/etc/group\.old$ Databases2
/etc/passwd\.old$ Databases2
/etc/shadow\.old$ Databases2
/etc/passwd\.backup$ Databases2
/etc/shadow\.backup$ Databases2
/etc$ StaticDir
/etc ConfFiles

# Binaries
/bin Binlib
/sbin Binlib

# Libraries
/lib Binlib

# Complete /usr and /opt
/usr Binlib
/opt Binlib

# Log files
/var/log$ StaticDir
/var/log/ Logs2

# Devices
!/dev/pts
!/dev/bus
!/dev/\.udev
!/dev/vcs
!/dev/shm/sysconfig
/dev/log$ p+n+u+g
/dev$ StaticDir
/dev Devices

# Other miscellaneous files
/var/run$ StaticDir
!/var/run/
/var/lib Databases

# Test only the directory when dealing with /proc
/proc$ StaticDir
!/proc

# Oracle files
/opt/oracle/diag/rdbms/miepdb/MIEPDB Logs2
/opt/oracle/admin/MIEPDB/adump Logs2
/opt/oracle/11\.1\.0/dbs Logs2
/opt/oracle/diag$ StaticDir
/opt/oracle/11\.1\.0/log/diag/ Logs2

# MIEP files
/var/log/miep/ Logs3
/opt/miep[^/]*/conf/config.xml$ Databases
/opt/miep[^/]*/dbRuntimeBackup/ Logs2
/opt/miep[^/]*/shm$ StaticDir
!/opt/miep[^/]*/shm/[^/]*_shm$
!/opt/sentinel
!/opt/apache/conf/pipsw\.dir$
!/opt/apache/conf/pipsw\.pag$
/opt/tomcat/logs$ StaticDir
/opt/tomcat/logs/ Logs2
/opt/tomcat/conf$ StaticDir
/opt/tomcat/conf/ Logs2


My preference is not to kill the hang aide process every time we log in and find out the rootcause.
so can we tune aide to produce less output data ? or simply not mail it to root every day ? because this aide mail sent to root is not being read by anyone.
could you please advise for the solution that not required me to kill the process everytime we log in?

Automatic reply
28-Feb-2013, 14:30
silviana,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team
http://forums.suse.com