Possible bug found restarting Audit while using audispd plugins #469
Description
Description
Hi team, doing some tests with the new versions of audit, specifically using version 4.0.5, both in Fedora 40 and Fedora 41, I have detected a problem when I try to restart audit having configured an audispd plugin.
The steps I am following to get to the error are:
- Create a plugin config file:
/etc/audit/plugins.d/af_test.conf
active = yes
direction = out
path = /sbin/audisp-af_unix
type = always
args = 0640 /testaudit string
format = string
- Restart audit, everything work as expected:
systemctl restart auditd
Jun 26 21:25:36 fedora40 auditd[23360]: The audit daemon is exiting.
Jun 26 21:25:36 fedora40 systemd[1]: auditd.service: Deactivated successfully.
Jun 26 21:25:36 fedora40 systemd[1]: Starting auditd.service - Security Audit Logging Service...
Jun 26 21:25:36 fedora40 auditd[45943]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
Jun 26 21:25:36 fedora40 auditd[45943]: Init complete, auditd 4.0.5 listening for events (startup state enable)
Jun 26 21:25:36 fedora40 systemd[1]: Started auditd.service - Security Audit Logging Service.
Jun 26 21:25:36 fedora40 audisp-af_unix[45945]: audisp-af_unix plugin is listening for events
- Restart audit again, errors appears:
systemctl restart auditd
Jun 26 21:28:30 fedora40 systemd[1]: Stopping auditd.service - Security Audit Logging Service...
Jun 26 21:28:30 fedora40 auditd[46095]: plugin /sbin/audisp-af_unix terminated unexpectedly
Jun 26 21:28:30 fedora40 auditd[46095]: plugin /sbin/audisp-af_unix was restarted
Jun 26 21:28:30 fedora40 audisp-af_unix[46129]: Couldn't bind af_unix socket (Address already in use)
Jun 26 21:28:30 fedora40 audisp-af_unix[46129]: audisp-af_unix plugin exiting due to errors setting up socket
Jun 26 21:28:30 fedora40 auditd[46095]: The audit daemon is exiting.
Jun 26 21:28:30 fedora40 systemd[1]: auditd.service: Deactivated successfully.
Jun 26 21:28:30 fedora40 systemd[1]: Stopped auditd.service - Security Audit Logging Service.
Jun 26 21:28:30 fedora40 systemd[1]: Starting auditd.service - Security Audit Logging Service...
Jun 26 21:28:30 fedora40 auditd[46131]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
Jun 26 21:28:30 fedora40 auditd[46131]: Init complete, auditd 4.0.5 listening for events (startup state enable)
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix terminated unexpectedly
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix was restarted
Jun 26 21:28:30 fedora40 systemd[1]: Started auditd.service - Security Audit Logging Service.
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix terminated unexpectedly
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix was restarted
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix terminated unexpectedly
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix was restarted
Jun 26 21:28:30 fedora40 audisp-af_unix[46159]: Couldn't bind af_unix socket (Address already in use)
Jun 26 21:28:30 fedora40 audisp-af_unix[46159]: audisp-af_unix plugin exiting due to errors setting up socket
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix terminated unexpectedly
Jun 26 21:28:30 fedora40 auditd[46131]: plugin /sbin/audisp-af_unix was restarted
It seems that the socket is not being closed or disconnected correctly, and this is causing duplicity problems when restarting audit (Couldn't bind af_unix socket (Address already in use)).
Has anyone encountered this behavior as well?
Thanks in advance for everything.