Using ?kill -9? on any ControlMinder process may cause corruption

Document ID : KB000031304
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

The SIGKILL signal is sent to a process to cause it to terminate immediately (kill). In contrast to SIGTERM and SIGINT, this signal cannot be caught or ignored, and the receiving process cannot perform any clean-up upon receiving this signal.

Environment:

All CA ControlMinder/CA Access Control/eTrust Access Control/CA PIM endpoint product versions.

Cause:

Ungraceful shutdown of any process may cause corruption. This is also the case for various ControlMinder processes as shown in this document exemplified on the selogrd daemon.

root@my_machine[/home_local/root]
# issec
CA Access Control version 12.5 installed in /opt/CA/AccessControl
VeRsIoN: 12.55-0 (921) Compiled On:Jun 15 2011 20:53:38 _AIX710._RS6000 30017
CA Access Control kernel extension is loaded.
CA Access Control daemons are not running.
CA Access Control security daemon is not running.
CA Access Control watchdog daemon is not running.
CA Access Control agent daemon is not running.
CA Access Control serevu daemon is not running.
CA Access Control selogrd daemon is running, pid=9109632 (/opt/CA/AccessControl/bin/selogrd)
CA Access Control selogrcd daemon is not running.
CA Access Control eacws daemon is not running.
CA Access Control ReportAgent daemon is not running.
CA Access Control policyfetcher daemon is not running.
CA Access Control KBLAudMgr daemon is not running.
CA Access Control auxiliary daemon is not running.


root@my_machine[/home_local/root]
# kill -9 9109632


root@my_machine[/home_local/root]
# issec
CA Access Control version 12.5 installed in /opt/CA/AccessControl
VeRsIoN: 12.55-0 (921) Compiled On:Jun 15 2011 20:53:38 _AIX710._RS6000 30017
CA Access Control kernel extension is loaded.
CA Access Control daemons are not running.
CA Access Control security daemon is not running.
CA Access Control watchdog daemon is not running.
CA Access Control agent daemon is not running.
CA Access Control serevu daemon is not running.
CA Access Control selogrd daemon is not running.
CA Access Control selogrcd daemon is not running.
CA Access Control eacws daemon is not running.
CA Access Control ReportAgent daemon is not running.
CA Access Control policyfetcher daemon is not running.
CA Access Control KBLAudMgr daemon is not running.
CA Access Control auxiliary daemon is not running.

root@my_machine [/usr/eac/seosdb]
# seload
CA Access Control seload v12.55.0.921 - Loader Utility
Copyright (c) 2010 CA. All rights reserved.
23 Jun 2015 11:56:34> WAKE_UP : Server going up
23 Jun 2015 11:56:34> INFO : Filter mask: 'WATCHDOG*' is registered
23 Jun 2015 11:56:34> INFO : Filter mask: 'INFO : Setting PV*' is registered
23 Jun 2015 11:56:34> INFO : Filter mask: 'INFO : DB*' is registered
23 Jun 2015 11:56:34> INFO : Filter mask: '*seosd.trace*' is registered
23 Jun 2015 11:56:34> INFO : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Starting seosd. PID = 11796514.
The database may be corrupted and is being rebuilt. This may take a few minutes ....
Checking database ...
The database may be corrupted and is being rebuilt. This may take a few minutes ....
File open error in DBIO system
ERROR: Timeout waiting for CA Access Control daemon.
Executing [daemons] command: /opt/CA/AccessControl/bin/selogrd
Starting selogrd. PID = 9109642
Executing [daemons] command: /opt/CA/AccessControl/bin/serevu
Starting serevu. PID = 2097364
root@my_machine [/usr/eac/seosdb]

Resolution:

To protect programs from being killed while ControlMinder is up and running it is recommended to define relevant PROCESS rules for the according binaries.  Instead, try a 'secons -S selogrd', or a 'kill -15 PID' so it gives the components a chance to shut down correctly and safely (closing socket connections, cleaning up temp files, inform it's child processes that it is going away) giving the target process a chance to clean up after itself.