Bug 853104

Summary: Systemd is not sending AUDIT_SYSTEM_SHUTDOWN events
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: systemdAssignee: systemd-maint
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: high    
Version: 20CC: harald, johannbg, jrieden, lnykryn, lpoetter, metherid, mschmidt, msekleta, plautrba, rvokal, sforsber, sgrubb, systemd-maint, vpavlin, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1053600 (view as bug list) Environment:
Last Closed: 2014-04-10 12:47:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 853068, 1053600    

Description Steve Grubb 2012-08-30 14:23:51 UTC 
Description of problem:
When systemd gets the command to shut down the system, its supposed to send the AUDIT_SYSTEM_SHUTDOWN event to the audit system. If its not sent, then the aulast program is broken and assumes the system oopsed. It might need to send the event earlier in the shutdown phase...and it needs to give the audit system enough time to record it to disk or enqueue it into the persistent queue if remote logging is selected.

How reproducible:
always

Steps to Reproduce:
1. aulast
  
Actual results:
reboot   system boot  3.5.2-3.fc17.x86 Wed Aug 29 19:12 - crash
reboot   system boot  3.5.2-3.fc17.x86 Thu Aug 30 06:12 - crash


Expected results:
reboot   system boot  2.6.35.14-106.fc Mon May 21 07:35 - 14:31  (06:56)
reboot   system boot  2.6.35.14-106.fc Mon May 21 16:01 - 18:11  (02:09)
Comment 1 Lennart Poettering 2012-09-13 09:15:44 UTC 
Well, AUDIT_SYSTEM_SHUTDOWN is not the only audit event we send. We'll also send events for all the services that are stopped. We probably should make sure auditd gets those too at shutdown? 

Here's what I propose: change auditd.service to include the followin in the [Unit] section:

DefaultDependencies=no
After=local-fs.target
Conflicts=shutdown.target
Before=sysinit.target shutdown.target

This will turn auditd into an early boot service that is mounted after all local FS are mounted but before all normal services are started. It also has the effect that it is terminated on shutdown after all normal services (this is because the shutdown order is always implicitly the reverse of the startup order in systemd).

This should give you the desired effect and you'd always collect the audit messages of all normal services startup/shutdown with auditd.

(Oh, and while you are at it: if you edit auditd.service, please drop the After=syslog.target line, it is unnecessary these days)

Reassigning to auditd.
Comment 2 Steve Grubb 2012-12-03 21:53:07 UTC 
Testing shows that this does not solve the problem either.
Comment 3 Suzanne Forsberg 2013-03-14 15:54:54 UTC 
Since the recommendation in comment 2 did not resolve the issue, I am reassigning to systemd. We need this fixed for Common Criteria testing.
Comment 4 Lennart Poettering 2013-05-15 22:25:43 UTC 
Fixed in systemd git.
Comment 5 Michal Schmidt 2013-05-16 12:19:37 UTC 
http://cgit.freedesktop.org/systemd/systemd/commit/?id=3f92e4b4b61042391bd44de4dceb18177df0dd57
Comment 6 Steve Grubb 2013-06-01 15:01:33 UTC 
Has the fix been put into a released systemd rpm? I just tested an updated F19 system and aulast is still reporting that the system always crashes instead of shutting down.
Comment 7 Steve Grubb 2013-07-03 19:07:56 UTC 
Tested this on a new F19 system. Its not working.

# ausearch --start today -m SYSTEM_SHUTDOWN
<no matches>

Unit file looks like this:

[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes

Has the above commit made it into Fedora? Has anyone on systemd team verified the fix? Thanks.
Comment 8 Harald Hoyer 2013-07-04 08:28:34 UTC 
(In reply to Steve Grubb from comment #7)
> Has the above commit made it into Fedora? Has anyone on systemd team
> verified the fix? Thanks.

Will be in systemd-205
Comment 9 Fedora End Of Life 2013-12-21 15:38:25 UTC 
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 10 Steve Grubb 2014-01-14 18:09:49 UTC 
Just checked this problem on F20 which uses systemd-208. Either it was never fixed or it regressed. When this was fixed, did anyone run aulast to see if it was fixed?
Comment 11 Steve Grubb 2014-04-10 12:47:26 UTC 
This seems like its working now in F20. Not sure if an update specifically fixed it. But I'll close it in any event.