[opensuse-factory] auditing what process forked binary X ?
Hi: In about 3 machines I have the following annoying log message: modprobe[1062]: FATAL: Error inserting padlock_sha (/lib/modules/3.9.0-rc3-1-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device This means: - Something is forking modprobe and trying to probe a module that is not going to ever work in the machines, since they have no VIA processors. - It should not be doing that and has to be stopped :-) the module will load automatically if the running system matches x86cpu:vendor:*:family:*:model:*:feature:*00AA* - It is not systemd, udev or any of the service files. - It is also not any of the few remaining legacy sysvinit scripts. - It is not a custom configuration. - I suspect it might be Networkmanager but have no evidence to prove it. Is there any way to know "what process forked modprobe" using the audit subsystem or any other facility ? thanks. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday 2013-03-19 22:06, Cristian Rodríguez wrote:
In about 3 machines I have the following annoying log message:
modprobe[1062]: FATAL: Error inserting padlock_sha (/lib/modules/3.9.0-rc3-1-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device
This means:
- Something is forking modprobe and trying to probe a module that is not going to ever work in the machines, since they have no VIA processors.
- I suspect it might be Networkmanager but have no evidence to prove it.
Is there any way to know "what process forked modprobe" using the audit subsystem or any other facility ?
mv modprobe modprobe.bin cat >modprobe <<-EOF #!/bin/sh echo "Args: $@" >>/tmp/modprobe.log.$$ ps aufwwx >>/tmp/modprobe.log.$$ exec modprobe.bin "$@" EOF -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 19/03/13 18:48, Jan Engelhardt escribió:
mv modprobe modprobe.bin cat >modprobe <<-EOF #!/bin/sh echo "Args: $@" >>/tmp/modprobe.log.$$ ps aufwwx >>/tmp/modprobe.log.$$ exec modprobe.bin "$@" EOF
yeah, that hack might work too :-) I was looking for a less hackish way though .. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-03-19 at 18:06 -0300, Cristian Rodríguez wrote:
In about 3 machines I have the following annoying log message:
modprobe[1062]: FATAL: Error inserting padlock_sha (/lib/modules/3.9.0-rc3-1-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device
I have been seeing that message for years in my machines (or very similar). However, the message went to /var/log/boot.msg, where it did not bother me. Now it goes to messages.log - that's your fault for implementing systemd! :-P (just kidding) - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFJG74ACgkQtTMYHG2NR9UKwACfb6+b6OwCCdVAjyzHgVr5TxSH pSkAnRv+V2CoK+I4dE+dDlAToXjuNQpf =nj27 -----END PGP SIGNATURE-----
El 19/03/13 23:15, Carlos E. R. escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday, 2013-03-19 at 18:06 -0300, Cristian Rodríguez wrote:
In about 3 machines I have the following annoying log message:
modprobe[1062]: FATAL: Error inserting padlock_sha (/lib/modules/3.9.0-rc3-1-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device
I have been seeing that message for years in my machines (or very similar). However, the message went to /var/log/boot.msg, where it did not bother me. Now it goes to messages.log - that's your fault for implementing systemd! :-P
Heh, no . do not shoot the messenger :) "something" is doing probes the wrong way from the wrong reason. that's all. That message only hints that it is not the kernel, udev or systemd trying to do something stupid (none of them fork modprobe) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID:
El 19/03/13 23:15, Carlos E. R. escribió:
I have been seeing that message for years in my machines (or very similar). However, the message went to /var/log/boot.msg, where it did not bother me. Now it goes to messages.log - that's your fault for implementing systemd! :-P
Heh, no . do not shoot the messenger :)
:-)
"something" is doing probes the wrong way from the wrong reason. that's all.
That message only hints that it is not the kernel, udev or systemd trying to do something stupid (none of them fork modprobe)
I know. But it is been happening for years, I noticed that message long ago. Have a look: 12.1 SystemV: <5>[ 67.107370] padlock_sha: VIA PadLock Hash Engine not detected. openSUSE 11.2 (x86_64): <5>[ 40.091166] padlock: VIA PadLock not detected. ... <5>[ 40.109950] padlock: VIA PadLock Hash Engine not detected. Telcontar:~ # zgrep -i padlock /other/Elessar/var/log/*bz2 /other/Elessar/var/log/messages-20100621.bz2:May 29 12:49:21 Elessar kernel: [ 4587.702886] padlock: VIA PadLock not detected. /other/Elessar/var/log/messages-20100621.bz2:May 29 12:49:21 Elessar kernel: [ 4587.732074] padlock: VIA PadLock Hash Engine not detected. /other/Elessar/var/log/messages-20100621.bz2:May 29 12:49:21 Elessar modprobe: FATAL: Error inserting padlock_sha (/lib/modules/2.6.31.12-0.2-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device I see that I mentioned it on some bugzilla years ago, too. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFJLe0ACgkQtTMYHG2NR9XMwQCdFkqlCXeE5E+S21ejq7zb90gv SXIAoI09BPRCxCbtscF7o0BCLsXVZ+jR =batz -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
В Wed, 20 Mar 2013 04:32:53 +0100 (CET)
"Carlos E. R."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Content-ID:
On Tuesday, 2013-03-19 at 23:29 -0300, Cristian Rodríguez wrote:
El 19/03/13 23:15, Carlos E. R. escribió:
I have been seeing that message for years in my machines (or very similar). However, the message went to /var/log/boot.msg, where it did not bother me. Now it goes to messages.log - that's your fault for implementing systemd! :-P
Heh, no . do not shoot the messenger :)
:-)
"something" is doing probes the wrong way from the wrong reason. that's all.
That message only hints that it is not the kernel, udev or systemd trying to do something stupid (none of them fork modprobe)
I know.
But it is been happening for years, I noticed that message long ago. Have a look:
12.1 SystemV:
<5>[ 67.107370] padlock_sha: VIA PadLock Hash Engine not detected.
openSUSE 11.2 (x86_64):
<5>[ 40.091166] padlock: VIA PadLock not detected. ... <5>[ 40.109950] padlock: VIA PadLock Hash Engine not detected.
Telcontar:~ # zgrep -i padlock /other/Elessar/var/log/*bz2 /other/Elessar/var/log/messages-20100621.bz2:May 29 12:49:21 Elessar kernel: [ 4587.702886] padlock: VIA PadLock not detected. /other/Elessar/var/log/messages-20100621.bz2:May 29 12:49:21 Elessar kernel: [ 4587.732074] padlock: VIA PadLock Hash Engine not detected. /other/Elessar/var/log/messages-20100621.bz2:May 29 12:49:21 Elessar modprobe: FATAL: Error inserting padlock_sha (/lib/modules/2.6.31.12-0.2-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device
I see that I mentioned it on some bugzilla years ago, too.
Do you have encrypted filesystems? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlFJMYUACgkQR6LMutpd94wlmACeOlT7vb3uyZfWAkB8z7SUIsqy 4ZwAnjRBrqc6p7kChC4s2/NYLDa+Tkz3 =6cAt -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-03-20 at 07:48 +0400, Andrey Borzenkov wrote:
Do you have encrypted filesystems?
Yes, I do. Not for the system or home, but separate data partitions. file -s says: /dev/sdc9: LUKS encrypted file, ver 1 [aes, cbc-essiv:sha256, sha1] UUID: - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFJxEYACgkQtTMYHG2NR9XyJgCgia7DiiepJNnvTeYBqQipwfHW zfsAoIOGgGO/2lUh2oKulkupZ8XDlCAM =gaNA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Mar 20, 2013 at 6:14 PM, Carlos E. R.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday, 2013-03-20 at 07:48 +0400, Andrey Borzenkov wrote:
Do you have encrypted filesystems?
Yes, I do.
loading of module is triggered by cryptsetup. It does not load it itself, but may be internally kernel probes for all crypto providers. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 20/03/13 11:32, Andrey Borzenkov escribió:
On Wed, Mar 20, 2013 at 6:14 PM, Carlos E. R.
wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday, 2013-03-20 at 07:48 +0400, Andrey Borzenkov wrote:
Do you have encrypted filesystems?
Yes, I do.
loading of module is triggered by cryptsetup. It does not load it itself, but may be internally kernel probes for all crypto providers.
Yes, but this is not an internal probe and none of the machines where is see this msg has encrypted filesystems. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-03-20 at 14:38 -0300, Cristian Rodríguez wrote:
El 20/03/13 11:32, Andrey Borzenkov escribió:
Yes, I do.
loading of module is triggered by cryptsetup. It does not load it itself, but may be internally kernel probes for all crypto providers.
Yes, but this is not an internal probe and none of the machines where is see this msg has encrypted filesystems.
Interesting. So you and I get the message for different reasons. Or... is there a reason the kernel or whatever probes for encrypted filesystems when there is none? - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFKPJEACgkQtTMYHG2NR9UQWQCeJJaDJooZ23F37b82YwlwE8Kv 3u0Ani2jI2aQkrjkaRSzn7K0a2px51Ze =4AFn -----END PGP SIGNATURE-----
On Wed, 20 Mar 2013 23:47, Carlos E. R.
On Wednesday, 2013-03-20 at 14:38 -0300, Cristian Rodríguez wrote:
El 20/03/13 11:32, Andrey Borzenkov escribió:
Yes, I do.
loading of module is triggered by cryptsetup. It does not load it itself, but may be internally kernel probes for all crypto providers.
Yes, but this is not an internal probe and none of the machines where is see this msg has encrypted filesystems.
Interesting. So you and I get the message for different reasons.
Or... is there a reason the kernel or whatever probes for encrypted filesystems when there is none?
Question to the OP (and all other in this threat): Have you messed with "/etc/sysconfig/kernel" ? Or "/etc/modprobe.d/99-local.conf" ? On my old Evergreen 11.2 box I do not see the error in my logs (neither boot.msg nor allmessages) and I have changed my /etc/sysconfig/kernel to reflect my hardware (INITRD_MODULES, MODULES_LOADED_ON_BOOT) and rebuild the initrd-file, that may be a point to look for. Also the files in: /etc/modprobe.d/* esp. /etc/modprobe.d/99-local.conf are worth a look, as everything I did not need, I've disabled. Most of it via "alias xxxxx off" or "install xxxx /bin/true" on 99-local.conf. - Yamaban.
El 20/03/13 20:44, Yamaban escribió:
On my old Evergreen 11.2 box I do not see the error in my logs (neither boot.msg nor allmessages) and I have changed my /etc/sysconfig/kernel to reflect my hardware (INITRD_MODULES, MODULES_LOADED_ON_BOOT) and rebuild the initrd-file, that may be a point to look for.
Also the files in: /etc/modprobe.d/* esp. /etc/modprobe.d/99-local.conf
are worth a look, as everything I did not need, I've disabled. Most of it via "alias xxxxx off" or "install xxxx /bin/true" on 99-local.conf.
No, it is not a customization. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 2013-03-20 03:29, Cristian Rodríguez wrote:
In about 3 machines I have the following annoying log message:
modprobe[1062]: FATAL: Error inserting padlock_sha (/lib/modules/3.9.0-rc3-1-desktop/kernel/drivers/crypto/padlock-sha.ko): No such device
I have been seeing that message for years in my machines (or very similar). However, the message went to /var/log/boot.msg, where it did not bother me. Now it goes to messages.log - that's your fault for implementing systemd! :-P
Heh, no . do not shoot the messenger :)
"something" is doing probes the wrong way from the wrong reason. that's all.
Let's see.. $ modinfo padlock-sha filename: /lib/modules/3.7.10-jng11-desktop/kernel/drivers/crypto/padlock-sha.ko [...] alias: x86cpu:vendor:*:family:*:model:*:feature:*00AA* And now check with udevadm info --export-db | grep x86cpu: Got 00AA in it? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-03-27 at 03:25 +0100, Jan Engelhardt wrote:
On Wednesday 2013-03-20 03:29, Cristian Rodríguez wrote:
"something" is doing probes the wrong way from the wrong reason. that's all.
Let's see..
$ modinfo padlock-sha filename: /lib/modules/3.7.10-jng11-desktop/kernel/drivers/crypto/padlock-sha.ko [...] alias: x86cpu:vendor:*:family:*:model:*:feature:*00AA*
And now check with
udevadm info --export-db | grep x86cpu:
Got 00AA in it?
Telcontar:~ # modinfo padlock-sha filename: /lib/modules/3.1.10-1.19-desktop/kernel/drivers/crypto/padlock-sha.ko alias: sha256-padlock alias: sha1-padlock alias: sha256-all alias: sha1-all author: Michal Ludvig license: GPL description: VIA PadLock SHA1/SHA256 algorithms support. srcversion: DFE445F053B7F98B381D760 depends: vermagic: 3.1.10-1.19-desktop SMP preempt mod_unload modversions Telcontar:~ # udevadm info --export-db | grep x86cpu Telcontar:~ # Is that what you expect? - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFSWoAACgkQtTMYHG2NR9X+YgCbB+O+iJvYyD/19tSzo3sgi3O/ yqYAn1jToJ39Fty38Bx2Y1L6PZrpd9mG =8nu0 -----END PGP SIGNATURE-----
On Wed, 27 Mar 2013 03:33, Carlos E. R.
On Wednesday, 2013-03-27 at 03:25 +0100, Jan Engelhardt wrote:
On Wednesday 2013-03-20 03:29, Cristian Rodríguez wrote:
"something" is doing probes the wrong way from the wrong reason. that's all.
Let's see..
$ modinfo padlock-sha filename: /lib/modules/3.7.10-jng11-desktop/kernel/drivers/crypto/padlock-sha.ko [...] alias: x86cpu:vendor:*:family:*:model:*:feature:*00AA*
And now check with
udevadm info --export-db | grep x86cpu:
Got 00AA in it?
Telcontar:~ # modinfo padlock-sha filename: /lib/modules/3.1.10-1.19-desktop/kernel/drivers/crypto/padlock-sha.ko alias: sha256-padlock alias: sha1-padlock alias: sha256-all alias: sha1-all author: Michal Ludvig license: GPL description: VIA PadLock SHA1/SHA256 algorithms support. srcversion: DFE445F053B7F98B381D760 depends: vermagic: 3.1.10-1.19-desktop SMP preempt mod_unload modversions Telcontar:~ # udevadm info --export-db | grep x86cpu Telcontar:~ #
Is that what you expect?
Interesting is, that in the Evergreen 11.2 kernel, the "depends" field is filled: filename: /lib/modules/2.6.31.14-0.8-desktop/kernel/drivers/crypto/padlock-sha.ko .... srcversion: CB8D3DBB1F83B3770836EA3 depends: crypto_algapi vermagic: 2.6.31.14-0.8-desktop SMP preempt mod_unload modversions Can't say when (time/kernel-version) this changed. - Yamaban.
On Wednesday 2013-03-27 03:50, Yamaban wrote:
Interesting is, that in the Evergreen 11.2 kernel, the "depends" field is filled:
filename: /lib/modules/2.6.31.14-0.8-desktop/kernel/drivers/crypto/padlock-sha.ko .... srcversion: CB8D3DBB1F83B3770836EA3 depends: crypto_algapi vermagic: 2.6.31.14-0.8-desktop SMP preempt mod_unload modversions
Can't say when (time/kernel-version) this changed.
Well, the depends line is not all that important. (As for SUSE configs, crypto_algapi likely moved from =m to =y.) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Mar 27, 2013 at 05:14:43AM +0100, Jan Engelhardt wrote:
Well, the depends line is not all that important.
(As for SUSE configs, crypto_algapi likely moved from =m to =y.)
Yes, it looks like this happened between 11.2 and 11.3:
commit 370c3abfa759e7a5c216c906f21cd6f818eb3055
Author: Jiri Kosina
On 19/03/13 22:06, Cristian Rodríguez wrote:
Is there any way to know "what process forked modprobe" using the audit subsystem or any other facility ?
May be you can try a rule for audit like auditctl -d exit,always -F arch=b64 -S execve -F uid=0 then you will log: type=SYSCALL msg=audit(1363768171.730:155): arch=c000003e syscall=59 success=yes exit=0 a0=7f37040e0848 a1=7f37040e0878 a2=7fffc3e15928 a3=7fffc3e0bc10 items=2 ppid=22933 pid=23033 auid=16462 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=797 tty=pts1 comm="modprobe" exe="/sbin/modprobe" key=(null) type=EXECVE msg=audit(1363768171.730:155): argc=2 a0="/sbin/modprobe" a1="thermal_sys" I don't know how you can filter to log only by that command, but still it will help you. -- Duncan Mac-Vicar P. - http://www.suse.com/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) Maxfeldstraße 5, 90409 Nürnberg, Germany -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (7)
-
Andrey Borzenkov
-
Carlos E. R.
-
Cristian Rodríguez
-
Duncan Mac-Vicar P.
-
Jan Engelhardt
-
Michal Kubecek
-
Yamaban