853104 – Systemd is not sending AUDIT_SYSTEM_SHUTDOWN events

Bug 853104 - Systemd is not sending AUDIT_SYSTEM_SHUTDOWN events

Summary: Systemd is not sending AUDIT_SYSTEM_SHUTDOWN events

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	systemd
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	853068 1053600
TreeView+	depends on / blocked

Reported:	2012-08-30 14:23 UTC by Steve Grubb
Modified:	2014-04-10 12:47 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Clone Of:
Clones:	1053600 (view as bug list)
Environment:
Last Closed:	2014-04-10 12:47:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Steve Grubb 2012-08-30 14:23:51 UTC

Description of problem:
When systemd gets the command to shut down the system, its supposed to send the AUDIT_SYSTEM_SHUTDOWN event to the audit system. If its not sent, then the aulast program is broken and assumes the system oopsed. It might need to send the event earlier in the shutdown phase...and it needs to give the audit system enough time to record it to disk or enqueue it into the persistent queue if remote logging is selected.

How reproducible:
always

Steps to Reproduce:
1. aulast
  
Actual results:
reboot   system boot  3.5.2-3.fc17.x86 Wed Aug 29 19:12 - crash
reboot   system boot  3.5.2-3.fc17.x86 Thu Aug 30 06:12 - crash


Expected results:
reboot   system boot  2.6.35.14-106.fc Mon May 21 07:35 - 14:31  (06:56)
reboot   system boot  2.6.35.14-106.fc Mon May 21 16:01 - 18:11  (02:09)

Comment 1 Lennart Poettering 2012-09-13 09:15:44 UTC

Well, AUDIT_SYSTEM_SHUTDOWN is not the only audit event we send. We'll also send events for all the services that are stopped. We probably should make sure auditd gets those too at shutdown? 

Here's what I propose: change auditd.service to include the followin in the [Unit] section:

DefaultDependencies=no
After=local-fs.target
Conflicts=shutdown.target
Before=sysinit.target shutdown.target

This will turn auditd into an early boot service that is mounted after all local FS are mounted but before all normal services are started. It also has the effect that it is terminated on shutdown after all normal services (this is because the shutdown order is always implicitly the reverse of the startup order in systemd).

This should give you the desired effect and you'd always collect the audit messages of all normal services startup/shutdown with auditd.

(Oh, and while you are at it: if you edit auditd.service, please drop the After=syslog.target line, it is unnecessary these days)

Reassigning to auditd.

Comment 2 Steve Grubb 2012-12-03 21:53:07 UTC

Testing shows that this does not solve the problem either.

Comment 3 Suzanne Forsberg 2013-03-14 15:54:54 UTC

Since the recommendation in comment 2 did not resolve the issue, I am reassigning to systemd. We need this fixed for Common Criteria testing.

Comment 4 Lennart Poettering 2013-05-15 22:25:43 UTC

Fixed in systemd git.

Comment 5 Michal Schmidt 2013-05-16 12:19:37 UTC

http://cgit.freedesktop.org/systemd/systemd/commit/?id=3f92e4b4b61042391bd44de4dceb18177df0dd57

Comment 6 Steve Grubb 2013-06-01 15:01:33 UTC

Has the fix been put into a released systemd rpm? I just tested an updated F19 system and aulast is still reporting that the system always crashes instead of shutting down.

Comment 7 Steve Grubb 2013-07-03 19:07:56 UTC

Tested this on a new F19 system. Its not working.

# ausearch --start today -m SYSTEM_SHUTDOWN
<no matches>

Unit file looks like this:

[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes

Has the above commit made it into Fedora? Has anyone on systemd team verified the fix? Thanks.

Comment 8 Harald Hoyer 2013-07-04 08:28:34 UTC

(In reply to Steve Grubb from comment #7)
> Has the above commit made it into Fedora? Has anyone on systemd team
> verified the fix? Thanks.

Will be in systemd-205

Comment 9 Fedora End Of Life 2013-12-21 15:38:25 UTC

This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 10 Steve Grubb 2014-01-14 18:09:49 UTC

Just checked this problem on F20 which uses systemd-208. Either it was never fixed or it regressed. When this was fixed, did anyone run aulast to see if it was fixed?

Comment 11 Steve Grubb 2014-04-10 12:47:26 UTC

This seems like its working now in F20. Not sure if an update specifically fixed it. But I'll close it in any event.

Note You need to log in before you can comment on or make changes to this bug.