Red Hat Bugzilla – Bug 165611
initscript shutdown, hwclock, and auditing
Last modified: 2014-03-16 22:55:19 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc3 Firefox/1.0.6
Description of problem:
With the current version of util-linux, audit, kernel, and initscripts a message is hitting the console with audit information. hwclock was patched to send an audit event as any changes to it are part of CC security targets.
However, the audit daemon has already exited by the time hwclock sync is done during shutdown or reboot. The hwclock sync really needs to be done earlier so that it gets recorded by the audit daemon...and as a side effect...stops annoying users. I don't think it makes a big difference if the hwclock sync happens earlier does it?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. make sure current audit, kernel, util-linux, and initscripts are installed
2. shutdown computer
3. watch console for audit event related to hwclock
Actual Results: msg=audit(1123702797.998:1420642): user pid=4440 uid=0 auid=0 msg='hwclock: op=changing system time id=0 res=success'
Expected Results: no messages
How can we be sure that more of these won't come later?
Is it possible for the audit system to disable printing to console on exit?
The issue is that changes to the hardware clock is an auditable event in CAPP
and LSPP. We are missing that event because the clock sync occurs after the
audit daemon has been terminated. There may be other audit messages that hit the
screen on shutdown, but they probably aren't in the security target like hwclock
The audit daemon could do something with dmesg to quieten messages that hit the
screen, but something important not related to auditing might get suppressed.
The problem is that creating a separate script *just* for syncing the clock is
certainly way too much overkill; realistically, it's at the proper place now.
I was thinking this is just re-ordering what is in /etc/rc.d/init.d/halt. That's
The reason that this needs to be done is not because of getting rid of messages
to the console (although people would like that), its about getting the sync
done while the audit damon is alive so that the event is properly recorded. All
changes to hwclock is an auditable event in CAPP security targets.
I have been considering adding this to U3 proposed since its a hole in auditing
Just moving it? You're implying that audit doesn't die when you shut down the
service, only when the killall command in halt is run?
I spoke with Klaus of atsec about this bug report. He said that if we have not
wrote any code at this point, not to worry about it. He feels this is in the
nice to have category and can be explained away in Security Targets. So...if no
code has been written, this bug report can be closed.
Hasn't been changed yet, so closing.
*** Bug 210929 has been marked as a duplicate of this bug. ***
Well it's nice that it's closed, but it looks like something is going wrong,
which is why I files bug 210929.
The Fedora wiki states that all AVC messages for software installed by default
are blockers, so I find it odd that this gets swept under the carpet.
*** Bug 251213 has been marked as a duplicate of this bug. ***
I have the same opinion as lsof. It should be fixed as stated in the wiki. And
more than 2 years to fix a "nice to have" bug in that all users run when
shutting down their system are a lot, honestly.