When the init 6 command is used to reboot a system recently upgraded from 11.3 to 11.4 using pkg, the system halts during shutdown since it cannot send audit files to sstore.
Console Error:
"auditd[1037]: Couldn't send 458 audit events to sstore(7)"
This issue is different from that described in https://support.oracle.com/epmos/faces/DocumentDisplay?id=2471754.1&displayIndex=1#SYMPTOM
Log files show the following:
tail /var/svc/log/system-auditd:default.log
class stats sstore setup completed
[ 2019 Feb 19 15:19:46 Stopping because service disabled. ]
[ 2019 Feb 19 15:19:46 Executing stop method (:kill). ]
auditd stopped
Couldn't send 458 audit events to sstore(7) -> this is the error displayed at the console
->system reset
[ 2019 Feb 20 08:36:56 Enabled. ]
[ 2019 Feb 20 08:37:23 Executing start method ("/lib/svc/method/svc-auditd"). ]
auditd started
[ 2019 Feb 20 08:37:23 Method "start" exited with status 0. ]
class stats sstore setup completed
sstore seems to be configured correctly in terms of flags--auditd does not appear to go into maintenance mode
svscs auditd shows online
caveats:
1. this server received security hardening applied to it, including setting up auditing flags for command line arguments
2. using the "reboot" command vs. the init 6 command does not cause the same halt behavior
3. While halted, the server is pingable but will not accept PuTTY remote connections or respond to keyboard input at the console--needs to be reset
4. auditing logs are populating in /var/audit as I believe they are supposed to
It appears the init 6 command tells the auditd service to stop before it transmits all the audit logs, but I am not sure.
If anyone has experience with this, your input would be appreciated.