(Dropping freebsd-bugs@ and freebsd-security@ to BCC, because this kind of
communication shouldn't really go there)
On 6/22/26 02:40, Anuj Telkhade wrote:
Hi Team,
Hello!
We are observing an issue on FreeBSD 14.3 where auditd appears to accumulate
zombie child processes during frequent audit trail rotation. The issue is seen
on systems with high audit event volume and relatively small audit trail file
size configuration. Under this condition, audit trail files rotate frequently.
Each rotation appears to invoke /etc/security/audit_warn with the closefile
argument. Over time, multiple audit_warn processes remain in a defunct/zombie
state.
Please check more details on this reference ticket - 295840 – Accumulation of zombie
processes on FreeBSD 14.3 systems during sustained high-volume audit trail rotation
on vendor machines <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295840>,
> To expedite troubleshooting we need freeBSD team's regular calls and direct
alignment with Qualys team for solution.
Let us know your convenient time to sync up.>
I'm sorry that we haven't been able to figure out what's happening in your
scenario yet, but this isn't really how the FreeBSD project works. The mailing
list and bugzilla are both directed to folks largely working on a volunteer
basis. Some bugs do see some sponsored effort for reasons that aren't always
broadcasted, but interactive support isn't something that the project is able
to provide regularly- this is why companies like Klara[0] exist to fill in the
gaps.
Some of the commits against your PR have been sponsored by Klara because we've
done previous work in the OpenBSM space and I was able to secure us some time
to work on this, but I can't really justify more synchronous debugging efforts
at the expense of our paid engagements. You're welcome to reach out to us if
you'd like to work out a different arrangement, or we're more than happy to
continue assisting as time allows.
To expand on the latest instructions from the PR: the point is to stop auditd
and run it under ktrace exclusively until you've collected a number of zombies
while tracing, then stop it and provide us with the relevant trace and logs.
From that, we can gain a better understanding of the event sequencing that's
leading to auditd failing to reap the zombies.
Thanks,
Kyle Evans
[0] https://klarasystems.com/