Problem with start of auditd on 2.6.13-2smp machine
Lisa Giacchetti
lisa at fnal.gov
Tue Jan 10 18:48:19 UTC 2006
Steve,
Thanks for the quick response.
Technically I do not need file system auditing. My primary goal is
to get rid of the thouands of messages in /var/log/messages of the
type:
Jan 10 12:35:01 cmsstor12 kernel: audit(1136918101.792:11295): user
pid=1855 uid=0 auid=4294967295 msg='PAM setcred: user=root
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'
The system is based on RHEL4. It comes with audit-0.5-1 and
audit-libs-1.0.3-6.EL4 installed.
I have found that upgrading to the newer version, audit-1.0.3-6.EL4,
moves the audit messages above to /var/log/audit/audit.log.
Even with the error at start, this is accomplished.
If you have another way to achieve my goal I am willing to
try it.
Lisa
Steve Grubb wrote:
> On Tuesday 10 January 2006 12:44, Lisa Giacchetti wrote:
>
>>I have a redhat enterprise linux 4 update 1 based system running
>>2.6.13-2smp kernel with audit-1.0.3-6.EL4 and audit-libs-1.0.3-6.EL4
>>installed.
>
>
> That kernel does not sound like a RHEL4 kernel. The RHEL4 kernel carries all
> the patches that the kernel needs for the audit system to work.
>
>
>>The problem is that when I start auditd I get this error:
>>
>>[root at cmsstor02 etc]# /etc/init.d/auditd start
>>Starting auditd: [ OK ]
>>Error receiving watch list (Invalid argument)
>>There was an error in line 5 of /etc/audit.rules
>
>
> Non-RHEL4 kernels do not have the right patch for file system auditing. When
> it was sent upstream, there was some consolidation with inotify suggested
> before acceptance. That work is still in progress. So...no kernel except the
> RHEL4 kernel really has the file system auditing at this point.
>
>
>>auditd actually starts but I am concerned that the -D
>>option (which is what is on line 5 of /etc/audit.rules)
>>is not being recognized or honored.
>
>
> If you do not need file system auditing, then you can safely ignore this. If
> you do need it, you need to change kernels.
>
>
>>I see that newer versions of the audit rpm may have fixed this
>
>
> That one is older.
>
>
>>"* Thu May 26 2005 Steve Grubb <sgrubb at redhat.com> 0.9-1
>> - Translate numeric info to human readable for ausearch output
>> - add '-if' option to ausearch to select input file
>> - add '-c' option to ausearch to allow searching by comm field
>> - init script now deletes all rules when daemon stops
>> - Make auditctl display perms correctly in watch listings
>>*** - Make auditctl -D remove all watches"
>>
>>but I do not have the glibc-kernheaders needed. Mine
>>are glibc-kernheaders-2.4-9.1.87 and audit-1.0.1201 needs
>>glibc-kernheaders>=2.4-9.1.95.
>
>
> We ship all the right pieces so that RHEL4 stuff is coordinated with itself
> and FC4 is coordinated with itself. 1.0.12 will be released with U3 update,
> but it will not solve the problem you are reporting.
>
> -Steve
--
Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023
More information about the Linux-audit
mailing list