[ISSUE] auditd stop/restart 불가 현상

auditd stop / restart 불가 현상

 

auditd 데몬은 리눅스 시스템에서 보안 관련 정보를 다룹니다. 시스템에서 발생하는 보안 로그와 시스템 관련 로그를 수집하고 해당 로들을 확인, 감지하여 더 큰 이슈를 예방하는 것에 목적이 있습니다. 

 

더 자세한 내용은 다음 포스팅에서 진행하겠습니다.

 

증상

auditd 데몬이 systemctl 명령어로 restart 가 되지 않는 현상이 발생했습니다.

(CentOS7 / RHEL7에서 확인)

 

[root@localhost cron]# systemctl status auditd.service 
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-01-25 14:50:41 KST; 2min 38s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 15733 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 15728 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 15729 (auditd)
   CGroup: /system.slice/auditd.service
           └─15729 /sbin/auditd
Jan 25 14:50:41 localhost augenrules[15733]: lost 0
Jan 25 14:50:41 localhost augenrules[15733]: backlog 0
Jan 25 14:50:41 localhost augenrules[15733]: enabled 1
Jan 25 14:50:41 localhost augenrules[15733]: failure 1
Jan 25 14:50:41 localhost augenrules[15733]: pid 15729
Jan 25 14:50:41 localhost augenrules[15733]: rate_limit 0
Jan 25 14:50:41 localhost augenrules[15733]: backlog_limit 8192
Jan 25 14:50:41 localhost augenrules[15733]: lost 0
Jan 25 14:50:41 localhost augenrules[15733]: backlog 0
Jan 25 14:50:41 localhost systemd[1]: Started Security Auditing Service.


### 아래 로그 발생과 함께 restart 불가 ###
[root@localhost cron]# systemctl restart auditd.service 
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.


### systemctl 이 아닌 service 명령어로 restart ###
[root@localhost cron]# service auditd restart 
Stopping logging: [  OK  ]
[ 8234.289388] type=1305 audit(1643090016.576:4231): audit_pid=0 old=15729 auid=4294967295 ses=4294967295 res=1
[ 8234.291768] type=1131 audit(1643090016.579:4232): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=auditd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Redirecting start to /bin/systemctl start auditd.service
[ 8235.291825] type=1305 audit(1643090017.579:4233): audit_enabled=1 old=1 auid=4294967295 ses=4294967295 res=1
[ 8235.293747] type=1305 audit(1643090017.581:4234): audit_pid=15848 old=0 auid=4294967295 ses=4294967295 res=1


[root@localhost cron]# systemctl status auditd.service 
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2022-01-25 14:53:37 KST; 2s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 15852 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 15847 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 15848 (auditd)
   CGroup: /system.slice/auditd.service
           └─15848 /sbin/auditd

Jan 25 14:53:37 localhost augenrules[15852]: lost 0
Jan 25 14:53:37 localhost augenrules[15852]: backlog 1
Jan 25 14:53:37 localhost augenrules[15852]: enabled 1
Jan 25 14:53:37 localhost augenrules[15852]: failure 1
Jan 25 14:53:37 localhost augenrules[15852]: pid 15848
Jan 25 14:53:37 localhost augenrules[15852]: rate_limit 0
Jan 25 14:53:37 localhost augenrules[15852]: backlog_limit 8192
Jan 25 14:53:37 localhost augenrules[15852]: lost 0
Jan 25 14:53:37 localhost augenrules[15852]: backlog 0
Jan 25 14:53:37 localhost systemd[1]: Started Security Auditing Service.

 

 

해결방안

해당 내용은 systemctl 명령어가 아닌 service 명령어를 통해서 수행하면 restart 가 되는 것을 확인 할 수 있었습니다.

stop 과 restart 는 systemctl 명령어를 통해서는 불가능합니다. 

ex) service auditd restart

     service auditd stop 

 

* 참고 사이트 & 문헌

Unable to restart/stop auditd service using systemctl command in RHEL7 - Red Hat Customer Portal