wierd audit problems on one RHEL ES4 box

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bill Tangren <bjt@usno.navy.mil>
To: linux-audit <linux-audit@redhat.com>
Subject: wierd audit problems on one RHEL ES4 box
Date: Thu, 12 Apr 2007 10:08:38 -0400	[thread overview]
Message-ID: <461E3D66.8060508@usno.navy.mil> (raw)

I just implemented a new rule set for auditing, and now the audit daemon won't 
start. It died a few hours before the logs were due to be rotated. Even though 
the auditd is dead, auditing is still being done, but the output is going to 
/var/log/messages, NOT to /var/log/audit, as before. When I did a

service auditd status

I got a

auditd locked, but pid exists

message. I tried to start it, but it wouldn't start. I rebooted, and it wouldn't 
come back up. I changed back to the old rule set and tried to restart. No joy. I 
rebooted again. It failed on start up. This is the rule set I tried:

# First rule - delete all
-D

# Feel free to add below this line. See auditctl man page

# Increase the buffers to survive stress events
-b 256
-e 1
# Audit Failed opens
-a exit,always -S open -F success!=0
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
-a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
#
# Audit success and failure of login/logout
# on by default with update 4.

#
# Audit sucess and failure of permissions
-a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 
-S lchown -S lchown32

I don't know whether or not this rule set is an issue, but the change and the 
problems occurred at about the same time.

This is what I have in my auditd.conf:

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = SYNC
freq = 0
num_logs = 15
max_log_file = 95
max_log_file_action = ignore
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

When I try to restart the auditd, no error messages I can see show up in 
/var/log/messages. I've implemented these rules on other RHEL ES 4 boxes, 
without problems.

Any ideas what is wrong?

next             reply	other threads:[~2007-04-12 14:08 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-12 14:08 Bill Tangren [this message]
2007-04-12 14:14 ` wierd audit problems on one RHEL ES4 box Steve Grubb
2007-04-13 14:27   ` Bill Tangren
2007-04-13 14:30     ` Steve Grubb
2007-04-13 14:37     ` Kirkwood, David A.
2007-04-13 14:54       ` Bill Tangren

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=461E3D66.8060508@usno.navy.mil \
    --to=bjt@usno.navy.mil \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.