wierd audit problems on one RHEL ES4 box

Kirkwood, David A. DAVID.A.KIRKWOOD at saic.com
Fri Apr 13 14:37:18 UTC 2007


What are your free and admin space requirements in /etc/auditd.conf?

David A. Kirkwood
SAIC

david.a.kirkwood at saic.com
kirkwoodd at saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776

-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Bill Tangren
Sent: Friday, April 13, 2007 10:27 AM
Cc: linux-audit at redhat.com
Subject: Re: wierd audit problems on one RHEL ES4 box

Steve Grubb wrote:
> On Thursday 12 April 2007 10:08, Bill Tangren wrote:
>> Any ideas what is wrong?
> 
> If auditd process is not running, you may need to delete anything with
auditd 
> in its name in the /var/run directory.
> 
> -Steve
> 

After reboot, there is now nothing in /var/run with audit, or even au in
the 
name. The service is stopped, and I cannot start it. Starting just
fails.

I noticed that auditd stopped writing to /var/log/audit/audit.log a few
hours 
before the log was rotated. Rotation failed. Auditing has since been
putting its 
output in /var/log/messages, even though auditd is not running, though
"ps aux" 
shows

  root      2242  0.0  0.0     0    0 ?        S<   Apr12   0:00
[kauditd]

I think the problem is that auditd cannot write to the log, but I don't
know 
why. The permissions on the log seems to be the same as on other systems
I run. 
The directory permission was 700, where it is 750 on other systems, but
changing 
it to 750 didn't help.

Any other ideas?

--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit




More information about the Linux-audit mailing list