Hello, The following auditd segfault occurs during shutdown but can be reproduced using the service stop command... service auditd stop 2root@aug-test:/# 2021 Aug 4 12:47:22 aug-test Process 687 (auditd) of user 0 dumped core. 34Stack trace of thread 687: 5#0 0x00007f18bb1657e4 fclose (libc.so.6) 6#1 0x000055b88ab50ec0 n/a (auditd) 7#2 0x000055b88ab4e421 n/a (auditd) 8#3 0x000055b88ab4d9a7 n/a (auditd) 9#4 0x00007f18bb11a09b __libc_start_main (libc.so.6) 10#5 0x000055b88ab4df4a n/a (auditd) Setting AUDIT_WRITE_LOGS to "yes" corrects this problem however we have a requirement to disable these logs (i.e. AUDIT_WRITE_LOGS needs to be set to "no") After perusing the source I suspect that one of these unconditional fclose()s is causing the problem... git diff ./src/aureport.c diff --git a/src/aureport.c b/src/aureport.c index 22618f0..6359144 100644 --- a/src/aureport.c +++ b/src/aureport.c @@ -277,7 +277,8 @@ static int process_log_fd(const char *filename)                 list_clear(entries);                 free(entries);         } while (ret == 0); -       fclose(log_fd); +       if (log_fd) +               fclose(log_fd);         // This is the per file action items         very_last_event.sec = last_event.sec;         very_last_event.milli = last_event.milli; git diff ./src/ausearch.c diff --git a/src/ausearch.c b/src/ausearch.c index 4a6bdae..df14df5 100644 --- a/src/ausearch.c +++ b/src/ausearch.c @@ -481,7 +481,8 @@ static int process_log_fd(void)                                 checkpt_failure |= CP_CORRUPTED;                                 list_clear(entries);                                 free(entries); -                               fclose(log_fd); +                               if (log_fd) +                                       fclose(log_fd);                                 return 10;                         }                         if (just_one) { @@ -497,7 +498,8 @@ static int process_log_fd(void)                         if (set_ChkPtLastEvent(&entries->e)) {                                 list_clear(entries);                                 free(entries); -                               fclose(log_fd); +                               if (log_fd) +                                       fclose(log_fd);                                 return 4;       /* no memory */                         }                 } @@ -505,7 +507,8 @@ static int process_log_fd(void)                 list_clear(entries);                 free(entries);         } while (ret == 0); -       fclose(log_fd); +       if (log_fd) +               fclose(log_fd);         return 0;  } However I have not tested these changes.  Even though this is a benign problem I believe that it warrants a correction. Please open a ticket and respond with the ticket id so that we can track this problem/solution. -- Kind Regards, Thomas Brown Linux Developer EPS PBU RT Solution Services 411 Leggett Drive Suite 502 Kanata, ON, Canada K2K 3C9 Tel: 613-963-1016 Fax: 613-599-1060