Problem with start of auditd on 2.6.13-2smp machine
Steve Grubb
sgrubb at redhat.com
Tue Jan 10 19:49:36 UTC 2006
On Tuesday 10 January 2006 14:31, Lisa Giacchetti wrote:
> So I installed 1.0.3-6 which did have auditd chkconfig'd off by default.
> Add I rebooted. It did not work. Well I should say that auditd is not
> running but the messages are still there.
OK, your kernel does not have the patch, then. There's 3 options. You can try
for a newer kernel, or patch the one you are using, or use auditd to eat up
the messages but live with the error on boot. You will pay a performance
penalty for enabling the audit system. I can dig up the kernel patch if you
want to patch your kernel.
> > Using 1.0.3 might be the best solution if you have a kernel without the
> > patch to stop user space originating messages. Just set the log size low
> > and tell it to suspend logging when the file gets too big.
> >
> > flush = INCREMENTAL
> > freq = 50
> > num_logs = 2
> > max_log_file = 1
> > max_log_file_action = SUSPEND
>
> Won't I still have the problem of the error on start up?
Yes, but its harmless - your kernel doesn't support file system auditing.
> Its like the -D option on line 5 is not a recognized option.
It is recognized, the error message is somewhat misleading (I think it was
updated in later versions). It is saying that it tried to get the list of
files being watched and the kernel didn't understand.
> I really don't care about the error as long as I know that
> things are configured to not really start auditing.
Well, auditing comes in 2 layers. If auditing is enabled, all the syscalls
will pass through the audit system system for inspection. There is a
performance penalty for this. The other layer is when you have rules loaded
that may trigger events. This will result in kernel audit messages.
-Steve
More information about the Linux-audit
mailing list