kauditd0 after pve9 upgrade

[micush]

Hi,

It appears I have one instance of kauditd0 for every LXC instance I have running after my PVE9 upgrade and they are consuming quite a bit of CPU:


A search through the forums yields no results. Has anybody seen this one yet? How to fix it?

 

[dakralex]

Hi!

This is just a guess, but it seems like this is a process imitating the actual kernel thread kauditd, especially because kernel threads lack information like the uptime, cpu%, mem%, etc. Could you post the output of cat /proc/$pid/cmdline and cat /proc/$pid/exe for one of these kauditd0 processes (replace $pid with an actual pid)?

 

[micush]

Hi,

cat /proc/$pid/cmdline shows kauditd0@pve and cat /proc/$pid/exe shows a bunch of compiled executable with no discernible information.

 

[dakralex]

cat /proc/$pid/exe shows a bunch of compiled executable with no discernible information.

And what does ls -lha /proc/$pid/exe show? If it's a kernel thread (and kauditd normally is a kernel thread), then it won't exist. But in your case it exists and should be a symbolic link to the executable that is running in that process.

 

[dakralex]

FYI, multiple (external) users reported [0] [1] [2] that processes with the name "kauditd0" were malware running on their system / containers, especially because they try to imitate a kernel thread but are clearly not a kernel thread at all.

[0] https://www.reddit.com/r/linuxquestions/comments/1hcadve/kauditd0_uses_cpu_a_lot_100/
[1] https://www.reddit.com/r/sysadmin/comments/1i777rl/kauditd0_process_causing_high_cpu_usage_and/
[2] https://www.reddit.com/r/linuxquestions/comments/1hvmj50/kauditd0_high_cpu_usage_oracle_linux/

 

[micush]

Yes, that was indeed it. It had gotten in through the use of a 3rd party LXC container. All gone now. Thanks for the pointer. Much appreciated.