From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bill Tangren <bjt@usno.navy.mil>
Subject: Re: wierd audit problems on one RHEL ES4 box
Date: Fri, 13 Apr 2007 10:27:01 -0400
Message-ID: <461F9335.9040205@usno.navy.mil>
References: <461E3D66.8060508@usno.navy.mil>
	<200704121014.18163.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l3DER4QS013711
	for <linux-audit@redhat.com>; Fri, 13 Apr 2007 10:27:04 -0400
Received: from [198.116.61.254] (beatrix.usno.navy.mil [198.116.61.254])
	by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l3DER2Bn016668
	for <linux-audit@redhat.com>; Fri, 13 Apr 2007 10:27:02 -0400
Received: from [10.1.5.58] (mach2.usno.navy.mil [10.1.5.58])
	by aa.usno.navy.mil (Postfix) with ESMTP id 14E5D205694
	for <linux-audit@redhat.com>; Fri, 13 Apr 2007 10:27:02 -0400 (EDT)
In-Reply-To: <200704121014.18163.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve Grubb wrote:
> On Thursday 12 April 2007 10:08, Bill Tangren wrote:
>> Any ideas what is wrong?
> 
> If auditd process is not running, you may need to delete anything with auditd 
> in its name in the /var/run directory.
> 
> -Steve
> 

After reboot, there is now nothing in /var/run with audit, or even au in the 
name. The service is stopped, and I cannot start it. Starting just fails.

I noticed that auditd stopped writing to /var/log/audit/audit.log a few hours 
before the log was rotated. Rotation failed. Auditing has since been putting its 
output in /var/log/messages, even though auditd is not running, though "ps aux" 
shows

  root      2242  0.0  0.0     0    0 ?        S<   Apr12   0:00 [kauditd]

I think the problem is that auditd cannot write to the log, but I don't know 
why. The permissions on the log seems to be the same as on other systems I run. 
The directory permission was 700, where it is 750 on other systems, but changing 
it to 750 didn't help.

Any other ideas?