Problem with start of auditd on 2.6.13-2smp machine

Lisa Giacchetti lisa at fnal.gov
Tue Jan 10 18:48:19 UTC 2006 

Steve,
   Thanks for the quick response.
   Technically I do not need file system auditing. My primary goal is
to get rid of the thouands of messages in /var/log/messages of the
type:
Jan 10 12:35:01 cmsstor12 kernel: audit(1136918101.792:11295): user 
pid=1855 uid=0 auid=4294967295 msg='PAM setcred: user=root 
exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

The system is based on RHEL4. It comes with audit-0.5-1 and
audit-libs-1.0.3-6.EL4 installed.
I have found that upgrading to the newer version, audit-1.0.3-6.EL4,
moves the audit messages above to /var/log/audit/audit.log.
Even with the error at start, this is accomplished.

If you have another way to achieve my goal I am willing to
try it.

Lisa


Steve Grubb wrote:
> On Tuesday 10 January 2006 12:44, Lisa Giacchetti wrote:
> 
>>I have a redhat enterprise linux 4 update 1 based system running
>>2.6.13-2smp kernel with audit-1.0.3-6.EL4 and audit-libs-1.0.3-6.EL4
>>installed.
> 
> 
> That kernel does not sound like a RHEL4 kernel. The RHEL4 kernel carries all 
> the patches that the kernel needs for the audit system to work.
> 
> 
>>The problem is that when I start auditd I get this error:
>>
>>[root at cmsstor02 etc]# /etc/init.d/auditd start
>>Starting auditd:                                           [  OK  ]
>>Error receiving watch list (Invalid argument)
>>There was an error in line 5 of /etc/audit.rules
> 
> 
> Non-RHEL4 kernels do not have the right patch for file system auditing. When 
> it was sent upstream, there was some consolidation with inotify suggested 
> before acceptance. That work is still in progress. So...no kernel except the 
> RHEL4 kernel really has the file system auditing at this point.
> 
> 
>>auditd actually starts but I am concerned that the -D
>>option (which is what is on line 5 of /etc/audit.rules)
>>is not being recognized or honored.
> 
> 
> If you do not need file system auditing, then you can safely ignore this. If 
> you do need it, you need to change kernels.
> 
> 
>>I see that newer versions of the audit rpm may have fixed this
> 
> 
> That one is older.
> 
> 
>>"* Thu May 26 2005 Steve Grubb <sgrubb at redhat.com> 0.9-1
>>   - Translate numeric info to human readable for ausearch output
>>   - add '-if' option to ausearch to select input file
>>   - add '-c' option to ausearch to allow searching by comm field
>>   - init script now deletes all rules when daemon stops
>>   - Make auditctl display perms correctly in watch listings
>>***  - Make auditctl -D remove all watches"
>>
>>but I do not have the glibc-kernheaders needed. Mine
>>are glibc-kernheaders-2.4-9.1.87 and audit-1.0.1201 needs
>>glibc-kernheaders>=2.4-9.1.95.
> 
> 
> We ship all the right pieces so that RHEL4 stuff is coordinated with itself 
> and FC4 is coordinated with itself. 1.0.12 will be released with U3 update, 
> but it will not solve the problem you are reporting.
> 
> -Steve


-- 

Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023

More information about the Linux-audit mailing list