Results 1 to 2 of 2

Thread: aide process is hanging

Threaded View

  1. #1

    aide process is hanging

    I am not that familiar with aide, and i found a diffficulty to troubleshoot it.

    I have a problem regarding the aide process /usr/bin/aide is hanging in Linux, this process sent the accumulation mail to root hence it resulted to full memory.
    A low memory alarm appears to have been caused by an accumulation of /usr/bin/aide processes which have been unable to exit.
    The process is launched by an unknown method every night and takes some time to run, usually resulting in a very large output, which is then mailed to root.
    The mail is too large and is dropped, and aide does not exit.
    my temporary remedy is by killing the aide process using command kill -9 PID
    But when we kill the process, aide still running with new PID, we want to avoid killing the process everytime we log in.
    below is the log when aide is running.

    MDRmspTS03:~ # ps -ef | grep -i aide
    root 10631 1 0 02:00 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &
    root 10632 10631 5 02:00 ? 00:05:05 /usr/bin/aide --check -V
    root 10634 10631 0 02:00 ? 00:00:00 /bin/mail -s Aide daily run root
    root 13828 1 0 Feb13 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &
    root 13830 13828 0 Feb13 ? 00:04:31 /usr/bin/aide --check -V
    root 13831 13828 0 Feb13 ? 00:00:00 /bin/mail -s Aide daily run root
    root 26896 26849 0 03:28 pts/4 00:00:00 grep -i aide
    root 28730 1 0 Feb14 ? 00:00:00 /bin/sh -c test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &
    root 28732 28730 0 Feb14 ? 00:05:08 /usr/bin/aide --check -V
    root 28734 28730 0 Feb14 ? 00:00:00 /bin/mail -s Aide daily run root
    Below is the crontab for aide process, but we did not save it in crontab, so it should not be sending the mail to root.

    MDRmspTS03:/etc/cron.d # more aide
    RUN_FROM_CRON=yes
    0 2 * * * root test -x /usr/bin/aide && /usr/bin/aide --check -V | /bin/mail -s 'Aide daily run' root &
    Below is the linux version.

    MDRmspTS03:~ # uname -a
    Linux MDRmspTS03 2.6.27.19-5-default #1 SMP 2009-02-28 04:40:21 +0100 x86_64 x86_64 x86_64 GNU/Linux
    MDRmspTS03:~ # cat /etc/SuSE-release
    SUSE Linux Enterprise Server 11 (x86_64)
    VERSION = 11
    PATCHLEVEL = 0
    and below is the aide version

    MDRmspTS01:/etc # rpm -qi aide
    Name : aide Relocations: (not relocatable)
    Version : 0.13.1 Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
    Release : 40.14 Build Date: Mon 23 Feb 2009 18:57:42 UTC
    Install Date: Mon 20 Jun 2011 18:56:47 UTC Build Host: Super-Pinguine
    Group : Productivity/Security Source RPM: aide-0.13.1-40.14.src.rpm
    Size : 274230 License: GPL v2 or later
    Signature : RSA/8, Mon 23 Feb 2009 18:57:48 UTC, Key ID e3a5c360307e3d54
    Packager : http://bugs.opensuse.org
    URL : http://sourceforge.net/projects/aide/
    Summary : Advanced Intrusion Detection Environment
    Description :
    AIDE is an intrusion detection system that checks file integrity.
    Below is the configuration of aide

    MDRmspTS03:/etc # more aide.conf
    #
    # Based on the Example AIDE Config by Matthias G. Eckermann <mge@suse.de>
    #

    #
    # Configuration parameters
    #
    database=file:/var/lib/aide/aide.db
    database_out=file:/var/lib/aide/aide.db.new
    verbose=1
    report_url=stdout
    warn_dead_symlinks=yes

    #
    # Custom rules
    #
    Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
    ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
    Logs = p+i+n+u+g+S
    Devices = p+n+u+g+s+b+md5+sha1
    Databases = p+n+u+g
    StaticDir = p+i+n+u+g
    ManPages = p+i+n+u+g+s+b+m+c+md5+sha1

    # Added to ignore check script changes + more permissive /var/log
    ConfFiles2 = p+n+u+g+s+b+md5+sha1
    Databases2 = p+n+u+g+ANF
    Logs2 = p+n+u+g+ANF+ARF
    Logs3 = p+n+ANF+ARF

    #
    # Directories and files
    #
    # Kernel, system map, etc.
    /boot Binlib

    # watch config files, but exclude, what changes at boot time, ...
    !/etc/mtab
    !/etc/lvm
    /etc/adjtime Databases

    # Special treatment for some files altered by check.sh
    /etc/passwd$ ConfFiles2
    /etc/group$ ConfFiles2
    /etc/security$ StaticDir
    /etc/security/opasswd$ Databases
    /etc/security/opasswd\.old$ Databases2
    /etc/shadow$ ConfFiles2
    /etc/group\.old$ Databases2
    /etc/passwd\.old$ Databases2
    /etc/shadow\.old$ Databases2
    /etc/passwd\.backup$ Databases2
    /etc/shadow\.backup$ Databases2
    /etc$ StaticDir
    /etc ConfFiles

    # Binaries
    /bin Binlib
    /sbin Binlib

    # Libraries
    /lib Binlib

    # Complete /usr and /opt
    /usr Binlib
    /opt Binlib

    # Log files
    /var/log$ StaticDir
    /var/log/ Logs2

    # Devices
    !/dev/pts
    !/dev/bus
    !/dev/\.udev
    !/dev/vcs
    !/dev/shm/sysconfig
    /dev/log$ p+n+u+g
    /dev$ StaticDir
    /dev Devices

    # Other miscellaneous files
    /var/run$ StaticDir
    !/var/run/
    /var/lib Databases

    # Test only the directory when dealing with /proc
    /proc$ StaticDir
    !/proc

    # Oracle files
    /opt/oracle/diag/rdbms/miepdb/MIEPDB Logs2
    /opt/oracle/admin/MIEPDB/adump Logs2
    /opt/oracle/11\.1\.0/dbs Logs2
    /opt/oracle/diag$ StaticDir
    /opt/oracle/11\.1\.0/log/diag/ Logs2

    # MIEP files
    /var/log/miep/ Logs3
    /opt/miep[^/]*/conf/config.xml$ Databases
    /opt/miep[^/]*/dbRuntimeBackup/ Logs2
    /opt/miep[^/]*/shm$ StaticDir
    !/opt/miep[^/]*/shm/[^/]*_shm$
    !/opt/sentinel
    !/opt/apache/conf/pipsw\.dir$
    !/opt/apache/conf/pipsw\.pag$
    /opt/tomcat/logs$ StaticDir
    /opt/tomcat/logs/ Logs2
    /opt/tomcat/conf$ StaticDir
    /opt/tomcat/conf/ Logs2
    My preference is not to kill the hang aide process every time we log in and find out the rootcause.
    so can we tune aide to produce less output data ? or simply not mail it to root every day ? because this aide mail sent to root is not being read by anyone.
    could you please advise for the solution that not required me to kill the process everytime we log in?
    Last edited by silviana; 21-Feb-2013 at 08:33.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •