IJ32955: AUDIT CAN FAIL TO RESTART WHEN LARGE NUMBER OF OBJECTS ARE AUDITAPPLIES TO AIX 7200-05

APAR status

• Closed as program error.

Error description

• When audit runs with a large number of objects and
  some of the objects might not actually exists,
  audit shutdown then audit start can fail with :
  # audit start
  ** failed setting kernel audit objects
  To verify the problem you can run :
  # echo "xm -u" | kdb|grep ObjectCreate
  0000000000036900 873 9CECD0 .ObjectCreate+00004C
  000000000000CA20 873 9CED04 .ObjectCreate+000080
  These lines shouldn't appear when audit is shutdown
  as objects should be removed during the shutdown process.
  

Local fix

• After several "audit shutdown" when
  "echo "xm -u" | kdb|grep ObjectCreate" will show no more
  entries, audit start will work again.
  

Problem summary

• The audit start command may fail after an audit shutdown or a
  system may crash during auditing with a stack similar to:
  
  (0)> f
  pvthread+09DE00 STACK:
   0000DE0C ___strcmp64+00000C ()
   009CE040 IPRA.$ObjectFind+0001E0 (??, ??, ??)
   009CD8CC IPRA.$ObjectMake+0000AC (??, ??, ??)
   009D0E1C aud_vn_create+00017C (??, ??, ??, ??, ??, ??, ??)
  

Problem conclusion

• AIX's auditing functions were modified to prevent overlap
  between existing and nonexistent files.
  

Temporary fix

Comments

• ×**** PE22/12/02 PTF IN ERROR. SEE APAR IJ41093  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  IJ33375 IJ33619 IJ34485

Fix information

• Fixed component name

  AIX V7.2

• Fixed component ID

  5765CD200

Applicable component levels

• R720 PSY U888456

     UP22/02/04 I 1000