(Dropping freebsd-bugs@ and freebsd-security@ to BCC, because this kind of 
communication shouldn't really go there)

On 6/22/26 02:40, Anuj Telkhade wrote:
Hi Team,


Hello!

We are observing an issue on FreeBSD 14.3 where auditd appears to accumulate 
zombie child processes during frequent audit trail rotation. The issue is seen 
on systems with high audit event volume and relatively small audit trail file 
size configuration. Under this condition, audit trail files rotate frequently. 
Each rotation appears to invoke /etc/security/audit_warn with the closefile 
argument. Over time, multiple audit_warn processes remain in a defunct/zombie 
state.

Please check more details on this reference ticket - 295840 – Accumulation of zombie 
processes on FreeBSD 14.3 systems during sustained high-volume audit trail rotation 
on vendor machines <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295840>,
> To expedite troubleshooting we need freeBSD team's regular calls and direct 
alignment with Qualys team for solution.

Let us know your convenient time to sync up.>
I'm sorry that we haven't been able to figure out what's happening in your 
scenario yet, but this isn't really how the FreeBSD project works.  The mailing 
list and bugzilla are both directed to folks largely working on a volunteer 
basis.  Some bugs do see some sponsored effort for reasons that aren't always 
broadcasted, but interactive support isn't something that the project is able 
to provide regularly- this is why companies like Klara[0] exist to fill in the 
gaps.

Some of the commits against your PR have been sponsored by Klara because we've 
done previous work in the OpenBSM space and I was able to secure us some time 
to work on this, but I can't really justify more synchronous debugging efforts 
at the expense of our paid engagements.  You're welcome to reach out to us if 
you'd like to work out a different arrangement, or we're more than happy to 
continue assisting as time allows.

To expand on the latest instructions from the PR: the point is to stop auditd 
and run it under ktrace exclusively until you've collected a number of zombies 
while tracing, then stop it and provide us with the relevant trace and logs.  
From that, we can gain a better understanding of the event sequencing that's 
leading to auditd failing to reap the zombies.

Thanks,

Kyle Evans

[0] https://klarasystems.com/

Reply via email to