messages log repeating error

I have this repeating issue in my messages log, this is on a recently upgraded server (was SLES10SP4 w/ OES2SP3, now SLES11SP2 w/ OES11 SP1)

It appears that the /usr/lib64/libhd.so.* files relate to hwinfo-15.48-0.6.6.1, but beyond that, I really don’t know where to begin looking. Any help would be appreciated. Here is the repeating entry from the messages log:

Nov 19 09:35:46 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48 Nov 19 09:37:01 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48 Nov 19 09:38:16 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48 Nov 19 09:39:31 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48 Nov 19 09:40:47 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48 Nov 19 09:42:02 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48 Nov 19 09:43:17 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48 Nov 19 09:44:32 a2c1s14 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48

Hi jesse_johnston,

but beyond that, I really don’t know where to begin looking

seems to be a running process (script?) looping around that “ls” with a 15 second delay. If nothing catches the eyes in “ps alx” (i.e. “sleep”), then you might want to run your own little loop, looking for sudo (i.e. with a delay of 1 second: “ps alx|head -1;while ps alx ; do sleep 1; done |grep sudo|egrep -v grep”) hopefully you’ll catch the sudo process and can have a closer look at the parent process.

As there are not that many processes that use “/” as their current working directory, " lsof /|grep cwd" might give you a first idea of potential candidates, too.

Regards,
Jens

Hi,

I have exactly the same problem on all SLES11SP2 OES11SP1 Server

Jun 3 11:14:31 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:15:52 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:17:12 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:18:33 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:19:53 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:21:14 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:22:35 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:23:55 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:25:16 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48
Jun 3 11:26:37 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.48

ps alx|head -1;while ps alx ; do sleep 1; done |grep sudo|egrep -v grep
doesnt show anything!

Any Idee please

Thanks

Amila

Do these boxes have ZENworks Imaging software on them, by chance?
Searching on that library turns up this:

https://www.novell.com/support/kb/doc.php?id=7014204

Not the same issue, of course, but I wonder if something within the
ZENworks side of things is causing this redundant use of ‘sudo’ to check
for the files listed, perhaps as part of the fix mentioned would be coming
in that TID.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

No,

ZENworks Linux Imaging Agent is unused

all Server (File-Server, Groupwise Server and SLES-XEN…) have ZENworks Adaptive Agent Version 11.2.4.32791

but this problem is ony on SLES11SP2 OES11SP1 File Server, not on GroupWise Server, SLES-Xen or ZEN Satellite Server!

I uninstall ZCM Agent on one OES11SP1 File-Server and now there is no more this “sudo” messages in /var/log/messages!!!

Jun 3 16:17:51 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.53
Jun 3 16:19:14 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.53
Jun 3 16:20:38 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.53
Jun 3 16:22:01 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.53
Jun 3 16:23:24 server1 sudo: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/ls /usr/lib64/libhd.so.12 /usr/lib64/libhd.so.15 /usr/lib64/libhd.so.15.53

         Component                Version                Status

-----------------------------------±----------±-------------------------------
Inventory Management 11.2.4 Enabled
Patch Management 11.2.4.15 Enabled
Policy Management 11.2.4 Enabled
Image Management 11.2.4 Enabled
Bundle Management 11.2.4 Enabled
-----------------------------------±----------±-------------------------------

Maybe I need to open SR by Novell

Amila