Description of problem:
When systemd gets the command to shut down the system, its supposed to send the AUDIT_SYSTEM_SHUTDOWN event to the audit system. If its not sent, then the aulast program is broken and assumes the system oopsed. It might need to send the event earlier in the shutdown phase...and it needs to give the audit system enough time to record it to disk or enqueue it into the persistent queue if remote logging is selected.
Steps to Reproduce:
reboot system boot 3.5.2-3.fc17.x86 Wed Aug 29 19:12 - crash
reboot system boot 3.5.2-3.fc17.x86 Thu Aug 30 06:12 - crash
reboot system boot 220.127.116.11-106.fc Mon May 21 07:35 - 14:31 (06:56)
reboot system boot 18.104.22.168-106.fc Mon May 21 16:01 - 18:11 (02:09)
Well, AUDIT_SYSTEM_SHUTDOWN is not the only audit event we send. We'll also send events for all the services that are stopped. We probably should make sure auditd gets those too at shutdown?
Here's what I propose: change auditd.service to include the followin in the [Unit] section:
This will turn auditd into an early boot service that is mounted after all local FS are mounted but before all normal services are started. It also has the effect that it is terminated on shutdown after all normal services (this is because the shutdown order is always implicitly the reverse of the startup order in systemd).
This should give you the desired effect and you'd always collect the audit messages of all normal services startup/shutdown with auditd.
(Oh, and while you are at it: if you edit auditd.service, please drop the After=syslog.target line, it is unnecessary these days)
Reassigning to auditd.
Testing shows that this does not solve the problem either.
Since the recommendation in comment 2 did not resolve the issue, I am reassigning to systemd. We need this fixed for Common Criteria testing.
Fixed in systemd git.
Has the fix been put into a released systemd rpm? I just tested an updated F19 system and aulast is still reporting that the system always crashes instead of shutting down.
Tested this on a new F19 system. Its not working.
# ausearch --start today -m SYSTEM_SHUTDOWN
Unit file looks like this:
Description=Security Auditing Service
Has the above commit made it into Fedora? Has anyone on systemd team verified the fix? Thanks.
(In reply to Steve Grubb from comment #7)
> Has the above commit made it into Fedora? Has anyone on systemd team
> verified the fix? Thanks.
Will be in systemd-205
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '18'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 18's end of life.
Thank you for reporting this issue and we are sorry that we may not be
able to fix it before Fedora 18 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior to Fedora 18's end of life.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Just checked this problem on F20 which uses systemd-208. Either it was never fixed or it regressed. When this was fixed, did anyone run aulast to see if it was fixed?
This seems like its working now in F20. Not sure if an update specifically fixed it. But I'll close it in any event.