auditd fails to restart and also takes time to stop

asked 2016-07-18 19:34:15 -0500

updated 2016-07-19 11:10:22 -0500

florian gravatar image

auditd service does not restart as expected and takes a long time to stop if it does so. I can see the systemd journal logs that at end systemd has to issue a kill signal to stop it forcefully. I need auditd to restart as soon as possible as I issue a restart from my program.

Also in RHEL7.2 systemd doesn't wait for auditd to stop before it moves ahead with next steps in auditd restart process.

Can someone explain the stopping requirements for auditd and better way to do so if I want to. Thank you.

Sharing systemd Logs during the restart process:

Jul 19 15:54:38 VMRHEL72X64 auditd[25498]: The audit daemon is exiting.
Jul 19 15:54:38 VMRHEL72X64 systemd[1]: Child 25498 belongs to auditd.service
Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service: main process exited, code=exited, status=0/SUCCESS
Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service changed running -> stop-sigterm
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Trying to enqueue job auditd.service/start/replace
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Installed new job auditd.service/start as 735
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Enqueued job auditd.service/start as 735
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service.

Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service stop-sigterm timed out. Killing.
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigterm -> stop-sigkill
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 25754 belongs to auditd.service
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26137 belongs to auditd.service
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26145 belongs to auditd.service
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service: cgroup is empty
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigkill -> failed
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Unit auditd.service entered failed state.
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service failed.
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service.
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/auditd -n
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/auditd as 29427
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/augenrules --load
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/augenrules as 29428
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed failed -> start-post
Jul 19 15:56:08 VMRHEL72X64 systemd[29427]: Executing: /sbin/auditd -n
Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Starting Security Auditing Service...
Jul 19 15:56:08 VMRHEL72X64 systemd[29428]: Executing: /sbin/augenrules --load
Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Warning - freq is non-zero and incremental flushing not selected.
Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Started dispatcher: /usr/sbin/MYDISPATCHER pid: 29430
Jul 19 15:56 ...
(more)
edit retag flag offensive close merge delete

Comments

Hi, welcome to ask.fedora. With a few clicks, I formatted your question to make it better readable. For the future, if you paste logs or outputs, just mark them and then click the 101010 symbol.

florian gravatar imageflorian ( 2016-07-19 11:12:58 -0500 )edit

So do I read your question correctly in thinking that you are writing your own program which makes use of the auditd subsystem and it is from that program that you are instructing the auditd service to restart? If so, it may well be that the problem preventing auditd from terminating gracefully is in your program's code. Let me know if I'm understanding properly.

bitwiseoperator gravatar imagebitwiseoperator ( 2016-07-19 11:46:08 -0500 )edit

Yes you are correct. I am restarting auditd from within my own dispatcher. Steps - 1. forking a process in my dispatcher (this one will exit after fork gracefully) 2. I issue "service auditd restart" from the forked child process. The restart works and my dispatcher starts again but it takes a while for auditd to die in the first place. Restarting has issues in RHEL 7.2, if you do a fresh "service auditd restart" from console if auditd is already running, then the dispatcher starts before auditd dies and restarts. This does not happen in RHEL 7. I noticed a change in -9 second delay in script

satyajitg2 gravatar imagesatyajitg2 ( 2016-07-19 19:34:19 -0500 )edit

Thank you florian and bitwiseoperator.

satyajitg2 gravatar imagesatyajitg2 ( 2016-07-19 19:37:29 -0500 )edit