VCS agent entry point processes are killed by signal 9 (SIGKILL) when Linux audit rules are configurted

  • Article ID:100042759
  • Last Published:
  • Product(s):InfoScale & Storage Foundation

Problem

Veritas Cluster Server (VCS) agent entry point processes (e.g. monitor) are killed by signal 9 (SIGKILL) when Linux audit rules like the following are configured.

# log all commands executed by an effective user id of 0 (root).
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

This causes the corresponding VCS resources to go into UNKNOWN state or report as NOT PROBED.

Error Message

The following messages are logged in the VCS agent log.

2018/04/07 16:13:01 VCS WARNING V-16-0-13196 Thread(4131375984) script (/opt/VRTSagents/ha/bin/WebSphereMQ/monitor) terminated due to signal (9)
2018/04/07 16:13:01 VCS ERROR V-16-2-13040 Thread(4131375984) Resource(q_mgr_Prod): Program(/opt/VRTSagents/ha/bin/WebSphereMQ/monitor) was abnormally terminated with the exit code(0x9).

Cause

This is a Linux kernel issue.  The problem can happen to any process with a lengthy program argument list.  The problem was reported to occur on the following kernel versions.

2.6.32-642.15.1.el6.x86_64  (RHEL 6.8)
2.6.32-696.el6.x86_64  (RHEL 6.9)

Solution

As a temporary workaround please disable the audit rules similar to the ones listed above or disable audit altogether.

Please contact the OS vendor for a permanent solution.

 

Was this content helpful?

Get Support