Hello, On Wednesday, August 11, 2021 1:32:37 PM EDT Brown, Thomas wrote: > The following auditd segfault occurs during shutdown but can be > reproduced using the service stop command...
Which version of the audit package is this? There was a known shutdown problem on 3.0.3 that was fixed in 3.0.4. > service auditd stop 2root@aug-test:/# 2021 Aug 4 12:47:22 aug-test > Process 687 (auditd) of user 0 dumped core. 34Stack trace of thread 687: > 5#0 0x00007f18bb1657e4 fclose (libc.so.6) 6#1 0x000055b88ab50ec0 n/a > (auditd) 7#2 0x000055b88ab4e421 n/a (auditd) 8#3 0x000055b88ab4d9a7 n/a > (auditd) 9#4 0x00007f18bb11a09b __libc_start_main (libc.so.6) 10#5 > 0x000055b88ab4df4a n/a (auditd) This says auditd dumped core on a fclose. My guess would be that it's in auditd-event.c. > Setting AUDIT_WRITE_LOGS to "yes" corrects this problem however we have > a requirement to disable these logs (i.e. AUDIT_WRITE_LOGS needs to be > set to "no") > > After perusing the source I suspect that one of these unconditional > fclose()s is causing the problem... Thanks for looking. But the patch applies to standalone utilities rather than the audit daemon. <snip> > However I have not tested these changes. Even though this is a benign > problem I believe that it warrants a correction. Please open a ticket > and respond with the ticket id so that we can track this problem/solution. I am about to release audit-3.0.5 today. I think I see a couple places where this could use an if (log_file). It would be helpful to know which version of the audit package that you are using. Thanks, -Steve -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
