execve("/sbin/auditd", ["auditd", "-f", "-n"], [/* 22 vars */]) = 0 brk(0) = 0x2b69e7421000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cb51a000 uname({sys="Linux", node="biberserv", ...}) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=28816, ...}) = 0 mmap(NULL, 28816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2b69cb51b000 close(3) = 0 open("/lib64/libpthread.so.0", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000W\0\3019\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=141440, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cb523000 mmap(NULL, 2200432, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2b69cb71c000 mprotect(0x2b69cb731000, 2093056, PROT_NONE) = 0 mmap(0x2b69cb930000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x2b69cb930000 mmap(0x2b69cb932000, 13168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b69cb932000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\331\1\3009\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1704256, ...}) = 0 mmap(NULL, 3485944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2b69cb936000 mprotect(0x2b69cba80000, 2097152, PROT_NONE) = 0 mmap(0x2b69cbc80000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14a000) = 0x2b69cbc80000 mmap(0x2b69cbc85000, 16632, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2b69cbc85000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cbc8a000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cbc8b000 arch_prctl(ARCH_SET_FS, 0x2b69cbc8aaf0) = 0 mprotect(0x2b69cbc80000, 16384, PROT_READ) = 0 mprotect(0x2b69cb930000, 4096, PROT_READ) = 0 mprotect(0x2b69cb71a000, 4096, PROT_READ) = 0 munmap(0x2b69cb51b000, 28816) = 0 set_tid_address(0x2b69cbc8ab80) = 20845 set_robust_list(0x2b69cbc8ab90, 0x18) = 0 rt_sigaction(SIGRTMIN, {0x2b69cb721360, [], SA_RESTORER|SA_SIGINFO, 0x2b69cb729e70}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x2b69cb7212b0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x2b69cb729e70}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0 getuid() = 0 rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGILL, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTRAP, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGABRT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGBUS, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGFPE, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGKILL, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument) rt_sigaction(SIGUSR1, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGUSR2, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGALRM, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSTKFLT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGCHLD, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGCONT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSTOP, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument) rt_sigaction(SIGTSTP, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTTIN, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTTOU, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGURG, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGXCPU, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGXFSZ, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGVTALRM, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGPROF, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGWINCH, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGIO, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGPWR, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSYS, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_2, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_3, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_4, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_5, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_6, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_7, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_8, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_9, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_10, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_11, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_12, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_13, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_14, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_15, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_16, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_17, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_18, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_19, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_20, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_21, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_22, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_23, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_24, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_25, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_26, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_27, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_28, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_29, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_30, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_31, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_32, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTERM, {0x2b69cb2e83c0, [], SA_RESTORER, 0x2b69cb729e70}, NULL, 8) = 0 rt_sigaction(SIGHUP, {0x2b69cb2e83d0, [], SA_RESTORER, 0x2b69cb729e70}, NULL, 8) = 0 rt_sigaction(SIGUSR1, {0x2b69cb2e83e0, [], SA_RESTORER, 0x2b69cb729e70}, NULL, 8) = 0 rt_sigaction(SIGUSR2, {0x2b69cb2e83f0, [], SA_RESTORER, 0x2b69cb729e70}, NULL, 8) = 0 rt_sigaction(SIGCHLD, {0x2b69cb2e85c0, [], SA_RESTORER, 0x2b69cb729e70}, NULL, 8) = 0 setrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 setrlimit(RLIMIT_CPU, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 brk(0) = 0x2b69e7421000 brk(0x2b69e7442000) = 0x2b69e7442000 open("/etc/audit/auditd.conf", O_RDONLY|O_NOFOLLOW) = 3 write(2, "Config file /etc/audit/auditd.co"..., 53Config file /etc/audit/auditd.conf opened for parsing) = 53 write(2, "\n", 1 ) = 1 fstat(3, {st_mode=S_IFREG|0640, st_size=503, ...}) = 0 fcntl(3, F_GETFL) = 0x28000 (flags O_RDONLY|O_LARGEFILE|O_NOFOLLOW) fstat(3, {st_mode=S_IFREG|0640, st_size=503, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cb51b000 lseek(3, 0, SEEK_CUR) = 0 read(3, "#\n# This file controls the confi"..., 4096) = 503 write(2, "log_file_parser called with: /va"..., 53log_file_parser called with: /var/log/audit/audit.log) = 53 write(2, "\n", 1 ) = 1 open("/var/log/audit", O_RDONLY|O_NONBLOCK|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 close(4) = 0 open("/var/log/audit/audit.log", O_RDONLY|O_APPEND) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=28016, ...}) = 0 close(4) = 0 write(2, "log_format_parser called with: R"..., 34log_format_parser called with: RAW) = 34 write(2, "\n", 1 ) = 1 write(2, "log_group_parser called with: ro"..., 34log_group_parser called with: root) = 34 write(2, "\n", 1 ) = 1 socket(PF_FILE, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(4) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 4 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(4) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=1696, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cb51c000 read(4, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1696 read(4, "", 4096) = 0 close(4) = 0 munmap(0x2b69cb51c000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=28816, ...}) = 0 mmap(NULL, 28816, PROT_READ, MAP_PRIVATE, 4, 0) = 0x2b69cb524000 close(4) = 0 open("/lib64/libnss_files.so.2", O_RDONLY) = 4 read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\37\0\0\0\0\0\0"..., 832) = 832 fstat(4, {st_mode=S_IFREG|0755, st_size=53880, ...}) = 0 mmap(NULL, 2139432, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2b69cbc8c000 mprotect(0x2b69cbc96000, 2093056, PROT_NONE) = 0 mmap(0x2b69cbe95000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x9000) = 0x2b69cbe95000 close(4) = 0 mprotect(0x2b69cbe95000, 4096, PROT_READ) = 0 munmap(0x2b69cb524000, 28816) = 0 open("/etc/group", O_RDONLY) = 4 fcntl(4, F_GETFD) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 fstat(4, {st_mode=S_IFREG|0644, st_size=557, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cb524000 read(4, "root:x:0:root\nbin:x:1:root,bin,d"..., 4096) = 557 close(4) = 0 munmap(0x2b69cb524000, 4096) = 0 write(2, "priority_boost_parser called wit"..., 36priority_boost_parser called with: 3) = 36 write(2, "\n", 1 ) = 1 write(2, "flush_parser called with: INCREM"..., 37flush_parser called with: INCREMENTAL) = 37 write(2, "\n", 1 ) = 1 write(2, "freq_parser called with: 20", 27freq_parser called with: 20) = 27 write(2, "\n", 1 ) = 1 write(2, "num_logs_parser called with: 4", 30num_logs_parser called with: 4) = 30 write(2, "\n", 1 ) = 1 write(2, "qos_parser called with: lossy", 29qos_parser called with: lossy) = 29 write(2, "\n", 1 ) = 1 write(2, "dispatch_parser called with: /sb"..., 42dispatch_parser called with: /sbin/audispd) = 42 write(2, "\n", 1 ) = 1 open("/sbin/audispd", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0750, st_size=76440, ...}) = 0 close(4) = 0 write(2, "max_log_size_parser called with:"..., 34max_log_size_parser called with: 5) = 34 write(2, "\n", 1 ) = 1 write(2, "max_log_size_action_parser calle"..., 46max_log_size_action_parser called with: ROTATE) = 46 write(2, "\n", 1 ) = 1 write(2, "space_left_parser called with: 7"..., 33space_left_parser called with: 75) = 33 write(2, "\n", 1 ) = 1 write(2, "space_action_parser called with:"..., 39space_action_parser called with: SYSLOG) = 39 write(2, "\n", 1 ) = 1 write(2, "action_mail_acct_parser called w"..., 41action_mail_acct_parser called with: root) = 41 write(2, "\n", 1 ) = 1 write(2, "admin_space_left_parser called w"..., 39admin_space_left_parser called with: 50) = 39 write(2, "\n", 1 ) = 1 write(2, "admin_space_left_action_parser c"..., 51admin_space_left_action_parser called with: SUSPEND) = 51 write(2, "\n", 1 ) = 1 write(2, "disk_full_action_parser called w"..., 44disk_full_action_parser called with: SUSPEND) = 44 write(2, "\n", 1 ) = 1 write(2, "disk_error_action_parser called "..., 45disk_error_action_parser called with: SUSPEND) = 45 write(2, "\n", 1 ) = 1 read(3, "", 4096) = 0 close(3) = 0 munmap(0x2b69cb51b000, 4096) = 0 getpriority(PRIO_PROCESS, 0) = 20 setpriority(PRIO_PROCESS, 0, 4294967293) = 0 getpriority(PRIO_PROCESS, 0) = 23 socket(PF_NETLINK, SOCK_RAW, 9) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 open("/var/run/auditd.pid", O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW, 0644) = 4 write(4, "20845\n", 6) = 6 close(4) = 0 fcntl(1, F_GETFL) = 0x8402 (flags O_RDWR|O_APPEND|O_LARGEFILE) fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2b69cb51b000 lseek(1, 0, SEEK_CUR) = -1 ESPIPE (Illegal seek) mmap(NULL, 10489856, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_32BIT, -1, 0) = 0x415fc000 mprotect(0x415fc000, 4096, PROT_NONE) = 0 clone(child_stack=0x41ffc250, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tidptr=0x41ffc9d0, tls=0x41ffc940, child_tidptr=0x41ffc9d0) = 20848 socketpair(PF_FILE, SOCK_STREAM, 0, [4, 5]) = 0 fcntl(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl(5, F_GETFL) = 0x2 (flags O_RDWR) fcntl(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x2b69cbc8ab80) = 20849 close(4) = 0 fcntl(5, F_SETFD, FD_CLOEXEC) = 0 write(2, "Started dispatcher: /sbin/audisp"..., 44Started dispatcher: /sbin/audispd pid: 20849) = 44 write(2, "\n", 1 ) = 1 uname({sys="Linux", node="biberserv", ...}) = 0 open("/proc/self/loginuid", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) writev(5, [{"\0\0\0\0\20\0\0\0\260\4\0\0\213\0\0\0", 16}, {"audit(1233669822.196:7168): audi"..., 139}], 2) = 155 futex(0x2b69cb4ff554, FUTEX_WAKE_OP, 1, 1, 0x2b69cb4ff550, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_EQ, 0}) = 1 futex(0x2b69cb4ff528, FUTEX_WAKE, 1) = 1 sched_yield() = 0 open("/proc/self/oom_adj", O_WRONLY|O_NOFOLLOW) = 4 write(4, "-17", 3) = 3 close(4) = 0 write(2, "config_manager init complete", 28config_manager init complete) = 28 write(2, "\n", 1 ) = 1 sendto(3, "0\0\0\0\351\3\5\0\1\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0mQ\0\0"..., 48, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = -1 ECONNREFUSED (Connection refused) write(2, "Error setting audit daemon pid ("..., 51Error setting audit daemon pid (Connection refused)) = 51 write(2, "\n", 1 ) = 1 open("/proc/self/loginuid", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or directory) writev(5, [{"\0\0\0\0\20\0\0\0\262\4\0\0S\0\0\0", 16}, {"audit(1233669822.197:7169): audi"..., 83}], 2) = 99 futex(0x2b69cb4ff554, FUTEX_WAKE_OP, 1, 1, 0x2b69cb4ff550, {FUTEX_OP_SET, 0, FUTEX_OP_CMP_EQ, 12}) = 1 futex(0x2b69cb4ff528, FUTEX_WAKE, 1) = 1 sched_yield() = 0 write(2, "Unable to set audit pid, exiting", 32Unable to set audit pid, exiting) = 32 write(2, "\n", 1 ) = 1 rt_sigaction(SIGALRM, {0x2b69cb2e8400, [], SA_RESTORER, 0x2b69cb729e70}, NULL, 8) = 0 alarm(5) = 0 unlink("/var/run/auditd.pid") = 0 kill(20849, SIGTERM) = 0 close(5) = 0 write(2, "The audit daemon is exiting.", 28The audit daemon is exiting.) = 28 write(2, "\n", 1 ) = 1 sendto(3, "0\0\0\0\351\3\5\0\2\0\0\0\0\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 48, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = -1 ECONNREFUSED (Connection refused) write(2, "Error setting audit daemon pid ("..., 51Error setting audit daemon pid (Connection refused)) = 51 --- SIGCHLD (Child exited) @ 0 (0) --- wait4(-1, NULL, WNOHANG, NULL) = 20849 wait4(-1, NULL, WNOHANG, NULL) = -1 ECHILD (No child processes) rt_sigreturn(0x2) = 51 write(2, "\n", 1 ) = 1 close(3) = 0 unlink("/var/run/auditd.pid") = -1 ENOENT (No such file or directory) exit_group(1) = ?