[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem with start of auditd on 2.6.13-2smp machine




Steve,
  Thanks for the quick response.
  Technically I do not need file system auditing. My primary goal is
to get rid of the thouands of messages in /var/log/messages of the
type:
Jan 10 12:35:01 cmsstor12 kernel: audit(1136918101.792:11295): user pid=1855 uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

The system is based on RHEL4. It comes with audit-0.5-1 and
audit-libs-1.0.3-6.EL4 installed.
I have found that upgrading to the newer version, audit-1.0.3-6.EL4,
moves the audit messages above to /var/log/audit/audit.log.
Even with the error at start, this is accomplished.

If you have another way to achieve my goal I am willing to
try it.

Lisa


Steve Grubb wrote:
On Tuesday 10 January 2006 12:44, Lisa Giacchetti wrote:

I have a redhat enterprise linux 4 update 1 based system running
2.6.13-2smp kernel with audit-1.0.3-6.EL4 and audit-libs-1.0.3-6.EL4
installed.


That kernel does not sound like a RHEL4 kernel. The RHEL4 kernel carries all the patches that the kernel needs for the audit system to work.


The problem is that when I start auditd I get this error:

[root cmsstor02 etc]# /etc/init.d/auditd start
Starting auditd:                                           [  OK  ]
Error receiving watch list (Invalid argument)
There was an error in line 5 of /etc/audit.rules


Non-RHEL4 kernels do not have the right patch for file system auditing. When it was sent upstream, there was some consolidation with inotify suggested before acceptance. That work is still in progress. So...no kernel except the RHEL4 kernel really has the file system auditing at this point.


auditd actually starts but I am concerned that the -D
option (which is what is on line 5 of /etc/audit.rules)
is not being recognized or honored.


If you do not need file system auditing, then you can safely ignore this. If you do need it, you need to change kernels.


I see that newer versions of the audit rpm may have fixed this


That one is older.


"* Thu May 26 2005 Steve Grubb <sgrubb redhat com> 0.9-1
  - Translate numeric info to human readable for ausearch output
  - add '-if' option to ausearch to select input file
  - add '-c' option to ausearch to allow searching by comm field
  - init script now deletes all rules when daemon stops
  - Make auditctl display perms correctly in watch listings
***  - Make auditctl -D remove all watches"

but I do not have the glibc-kernheaders needed. Mine
are glibc-kernheaders-2.4-9.1.87 and audit-1.0.1201 needs
glibc-kernheaders>=2.4-9.1.95.


We ship all the right pieces so that RHEL4 stuff is coordinated with itself and FC4 is coordinated with itself. 1.0.12 will be released with U3 update, but it will not solve the problem you are reporting.

-Steve


--

Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]