-
Notifications
You must be signed in to change notification settings - Fork 200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Noisy plugin termination at shutdown #272
Comments
Hmm. I'll look at this. I guess the message should be qualified with the stop flag. |
What version of auditd are you using? |
I added a qualifier to the "terminated unexpectedly" message, but I can't see how the "was restarted" message is sent because the whole restart code block is qualified by !stop. |
Originally observed with 3.0.7, but also reproducible with 3.0.8. Using |
That explains why I'm not seeing it. The default audit.service file does not allow systemctl to kill the daemon. This is because it uses dbus which hides who terminated the audit daemon. The only known solutions are using service auditd stop or auditctl --signal TERM. OK, I guess we can close this out. |
So it's a downstream issue due to https://sources.debian.org/src/audit/1%3A3.0.7-1/debian/patches/01-no-refusemanualstop.patch/? |
Yes. That is allowing the default behavior of killing everything instead of letting auditd manage the shutdown. Your suggested fix is likely an improvement to their patch. |
Hello, I think that this bug must be reopened and fixed upstream. The option that I removed is called |
Common Criteria requires that we collect the auid of anyone interacting with the audit daemon. So, we need the signal to come directly from the user context. The audit system queries the kernel to see who did it. The answer it gets is invalid if systemctl was used. |
@stevegrubb yes I know that, I'm not telling that you need to remove I'm saying that, during shutdown/reboot (and also in some other conditions where auditd is indirectly stopped), systemd WILL send a SIGTERM signal to all the processes in the cgroup If you want auditd to terminate the plugins itself when it receives SIGTERM you need to change the |
Any more thoughts on this? |
Following the example plugin code from https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c
auditd complains roughly in 1 of 4 shutdowns:
The text was updated successfully, but these errors were encountered: