Noisy plugin termination at shutdown

[cgzones]

Following the example plugin code from https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c

        [...]
        /* Flush any accumulated events from queue */
        auparse_flush_feed(au);
        auparse_destroy(au);
        if (stop)
                syslog(LOG_INFO, "sedispatch is exiting on stop request");
        else
                syslog(LOG_INFO, "sedispatch is exiting on stdin EOF");

        return 0;
}

auditd complains roughly in 1 of 4 shutdowns:

Aug 04 12:26:19 dlaptop sedispatch[864]: sedispatch is exiting on stop request
Aug 04 12:26:19 dlaptop auditd[862]: plugin /usr/sbin/sedispatch terminated unexpectedly
Aug 04 12:26:19 dlaptop auditd[862]: plugin /usr/sbin/sedispatch was restarted
Aug 04 12:26:19 dlaptop sedispatch[5277]: sedispatch is exiting on stdin EOF

[stevegrubb]

Hmm. I'll look at this. I guess the message should be qualified with the stop flag.

[stevegrubb]

What version of auditd are you using?

[stevegrubb]

I added a qualifier to the "terminated unexpectedly" message, but I can't see how the "was restarted" message is sent because the whole restart code block is qualified by !stop.

[cgzones]

Originally observed with 3.0.7, but also reproducible with 3.0.8.

Using KillMode=mixed in the [Service] section of auditd.service seems to solve this issue, as systemd by default sends on stop SIGTERM to all processes in the control group of this unit, thus the plugins can exit before the main auditd process changes the stop flag.
See https://www.freedesktop.org/software/systemd/man/systemd.kill.html

[stevegrubb]

That explains why I'm not seeing it. The default audit.service file does not allow systemctl to kill the daemon. This is because it uses dbus which hides who terminated the audit daemon. The only known solutions are using service auditd stop or auditctl --signal TERM. OK, I guess we can close this out.

[cgzones]

So it's a downstream issue due to https://sources.debian.org/src/audit/1%3A3.0.7-1/debian/patches/01-no-refusemanualstop.patch/?

[stevegrubb]

Yes. That is allowing the default behavior of killing everything instead of letting auditd manage the shutdown. Your suggested fix is likely an improvement to their patch.

[bigon]

Hello,

I think that this bug must be reopened and fixed upstream.

The option that I removed is called RefuseManualStop= that means that systemd would not allow a manual stop of the service, but it will stop auditd automatically during shutdown/reboot.

[stevegrubb]

Common Criteria requires that we collect the auid of anyone interacting with the audit daemon. So, we need the signal to come directly from the user context. The audit system queries the kernel to see who did it. The answer it gets is invalid if systemctl was used.

[bigon]

@stevegrubb yes I know that, I'm not telling that you need to remove RefuseManualStop=

I'm saying that, during shutdown/reboot (and also in some other conditions where auditd is indirectly stopped), systemd WILL send a SIGTERM signal to all the processes in the cgroup

If you want auditd to terminate the plugins itself when it receives SIGTERM you need to change the KillMode= like @cgzones suggested.

[bigon]

Any more thoughts on this?