wierd audit problems on one RHEL ES4 box

Bill Tangren bjt at usno.navy.mil
Thu Apr 12 14:08:38 UTC 2007 

I just implemented a new rule set for auditing, and now the audit daemon won't 
start. It died a few hours before the logs were due to be rotated. Even though 
the auditd is dead, auditing is still being done, but the output is going to 
/var/log/messages, NOT to /var/log/audit, as before. When I did a

service auditd status

I got a

auditd locked, but pid exists

message. I tried to start it, but it wouldn't start. I rebooted, and it wouldn't 
come back up. I changed back to the old rule set and tried to restart. No joy. I 
rebooted again. It failed on start up. This is the rule set I tried:

# First rule - delete all
-D

# Feel free to add below this line. See auditctl man page

# Increase the buffers to survive stress events
-b 256
-e 1
# Audit Failed opens
-a exit,always -S open -F success!=0
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
-a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
#
# Audit success and failure of login/logout
# on by default with update 4.

#
# Audit sucess and failure of permissions
-a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 
-S lchown -S lchown32

I don't know whether or not this rule set is an issue, but the change and the 
problems occurred at about the same time.

This is what I have in my auditd.conf:

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = SYNC
freq = 0
num_logs = 15
max_log_file = 95
max_log_file_action = ignore
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND


When I try to restart the auditd, no error messages I can see show up in 
/var/log/messages. I've implemented these rules on other RHEL ES 4 boxes, 
without problems.

Any ideas what is wrong?

More information about the Linux-audit mailing list