wierd audit problems on one RHEL ES4 box
Bill Tangren
bjt at usno.navy.mil
Fri Apr 13 14:27:01 UTC 2007
Steve Grubb wrote:
> On Thursday 12 April 2007 10:08, Bill Tangren wrote:
>> Any ideas what is wrong?
>
> If auditd process is not running, you may need to delete anything with auditd
> in its name in the /var/run directory.
>
> -Steve
>
After reboot, there is now nothing in /var/run with audit, or even au in the
name. The service is stopped, and I cannot start it. Starting just fails.
I noticed that auditd stopped writing to /var/log/audit/audit.log a few hours
before the log was rotated. Rotation failed. Auditing has since been putting its
output in /var/log/messages, even though auditd is not running, though "ps aux"
shows
root 2242 0.0 0.0 0 0 ? S< Apr12 0:00 [kauditd]
I think the problem is that auditd cannot write to the log, but I don't know
why. The permissions on the log seems to be the same as on other systems I run.
The directory permission was 700, where it is 750 on other systems, but changing
it to 750 didn't help.
Any other ideas?
More information about the Linux-audit
mailing list