Ask Your Question

Revision history [back]

auditd fails to restart and also takes time to stop

auditd service does not restart as expected and takes a long time to stop if it does so. I can see the systemd journal logs that at end systemd has to issue a kill signal to stop it forcefully. I need auditd to restart as soon as possible as I issue a restart from my program.

Also in RHEL7.2 systemd doesn't wait for auditd to stop before it moves ahead with next steps in auditd restart process.

Can someone explain the stopping requirements for auditd and better way to do so if I want to. Thank you.

auditd fails to restart and also takes time to stop

auditd service does not restart as expected and takes a long time to stop if it does so. I can see the systemd journal logs that at end systemd has to issue a kill signal to stop it forcefully. I need auditd to restart as soon as possible as I issue a restart from my program.

Also in RHEL7.2 systemd doesn't wait for auditd to stop before it moves ahead with next steps in auditd restart process.

Can someone explain the stopping requirements for auditd and better way to do so if I want to. Thank you.

Sharing systemd Logs during the restart process:

Jul 19 15:54:38 VMRHEL72X64 auditd[25498]: The audit daemon is exiting. Jul 19 15:54:38 VMRHEL72X64 systemd[1]: Child 25498 belongs to auditd.service Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service: main process exited, code=exited, status=0/SUCCESS Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service changed running -> stop-sigterm Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Trying to enqueue job auditd.service/start/replace Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Installed new job auditd.service/start as 735 Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Enqueued job auditd.service/start as 735 Jul 19 15:54:39 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service.

Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service stop-sigterm timed out. Killing. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigterm -> stop-sigkill Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 25754 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26137 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26145 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service: cgroup is empty Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigkill -> failed Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Unit auditd.service entered failed state. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service failed. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/auditd -n Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/auditd as 29427 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/augenrules --load Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/augenrules as 29428 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed failed -> start-post Jul 19 15:56:08 VMRHEL72X64 systemd[29427]: Executing: /sbin/auditd -n Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Starting Security Auditing Service... Jul 19 15:56:08 VMRHEL72X64 systemd[29428]: Executing: /sbin/augenrules --load Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Warning - freq is non-zero and incremental flushing not selected. Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Started dispatcher: /usr/sbin/MYDISPATCHER pid: 29430 Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Init complete, auditd 2.4.1 listening for events (startup state enable) Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: No rules Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: enabled 1 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: flag 1 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: pid 29427 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: rate_limit 0 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: backlog_limit 320 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: lost 4 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: backlog 1 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 29428 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service: control process exited, code=exited status=0 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service got final SIGCHLD for state start-post Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed start-post -> running Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Job auditd.service/start finished, result=done Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Started Security Auditing Service.

click to hide/show revision 3
No.3 Revision

auditd fails to restart and also takes time to stop

auditd service does not restart as expected and takes a long time to stop if it does so. I can see the systemd journal logs that at end systemd has to issue a kill signal to stop it forcefully. I need auditd to restart as soon as possible as I issue a restart from my program.

Also in RHEL7.2 systemd doesn't wait for auditd to stop before it moves ahead with next steps in auditd restart process.

Can someone explain the stopping requirements for auditd and better way to do so if I want to. Thank you.

Sharing systemd Logs during the restart process:

Jul 19 15:54:38 VMRHEL72X64 auditd[25498]: The audit daemon is exiting.
Jul 19 15:54:38 VMRHEL72X64 systemd[1]: Child 25498 belongs to auditd.service
Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service: main process exited, code=exited, status=0/SUCCESS
Jul 19 15:54:38 VMRHEL72X64 systemd[1]: auditd.service changed running -> stop-sigterm
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Trying to enqueue job auditd.service/start/replace
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Installed new job auditd.service/start as 735
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: Enqueued job auditd.service/start as 735
Jul 19 15:54:39 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service.

auditd.service. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service stop-sigterm timed out. Killing. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigterm -> stop-sigkill Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 25754 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26137 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 26145 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service: cgroup is empty Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed stop-sigkill -> failed Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Unit auditd.service entered failed state. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service failed. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: ConditionKernelCommandLine=!audit=0 succeeded for auditd.service. Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/auditd -n Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/auditd as 29427 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: About to execute: /sbin/augenrules --load Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Forked /sbin/augenrules as 29428 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed failed -> start-post Jul 19 15:56:08 VMRHEL72X64 systemd[29427]: Executing: /sbin/auditd -n Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Starting Security Auditing Service... Jul 19 15:56:08 VMRHEL72X64 systemd[29428]: Executing: /sbin/augenrules --load Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Warning - freq is non-zero and incremental flushing not selected. Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Started dispatcher: /usr/sbin/MYDISPATCHER pid: 29430 Jul 19 15:56:08 VMRHEL72X64 auditd[29427]: Init complete, auditd 2.4.1 listening for events (startup state enable) Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: No rules Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: enabled 1 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: flag 1 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: pid 29427 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: rate_limit 0 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: backlog_limit 320 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: lost 4 Jul 19 15:56:08 VMRHEL72X64 augenrules[29428]: backlog 1 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Child 29428 belongs to auditd.service Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service: control process exited, code=exited status=0 Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service got final SIGCHLD for state start-post Jul 19 15:56:08 VMRHEL72X64 systemd[1]: auditd.service changed start-post -> running Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Job auditd.service/start finished, result=done Jul 19 15:56:08 VMRHEL72X64 systemd[1]: Started Security Auditing Service.

Service.