wierd audit problems on one RHEL ES4 box

wierd audit problems on one RHEL ES4 box

[Bill Tangren]

I just implemented a new rule set for auditing, and now the audit daemon won't 
start. It died a few hours before the logs were due to be rotated. Even though 
the auditd is dead, auditing is still being done, but the output is going to 
/var/log/messages, NOT to /var/log/audit, as before. When I did a

service auditd status

I got a

auditd locked, but pid exists

message. I tried to start it, but it wouldn't start. I rebooted, and it wouldn't 
come back up. I changed back to the old rule set and tried to restart. No joy. I 
rebooted again. It failed on start up. This is the rule set I tried:

# First rule - delete all
-D

# Feel free to add below this line. See auditctl man page

# Increase the buffers to survive stress events
-b 256
-e 1
# Audit Failed opens
-a exit,always -S open -F success!=0
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
-a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
#
# Audit success and failure of login/logout
# on by default with update 4.

#
# Audit sucess and failure of permissions
-a entry,possible -S chmod -S fchmod -S chown -S chown32 -S fchown -S fchown32 
-S lchown -S lchown32

I don't know whether or not this rule set is an issue, but the change and the 
problems occurred at about the same time.

This is what I have in my auditd.conf:

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = SYNC
freq = 0
num_logs = 15
max_log_file = 95
max_log_file_action = ignore
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND


When I try to restart the auditd, no error messages I can see show up in 
/var/log/messages. I've implemented these rules on other RHEL ES 4 boxes, 
without problems.

Any ideas what is wrong?

Re: wierd audit problems on one RHEL ES4 box

[Steve Grubb]

On Thursday 12 April 2007 10:08, Bill Tangren wrote:
> Any ideas what is wrong?

If auditd process is not running, you may need to delete anything with auditd 
in its name in the /var/run directory.

-Steve

Re: wierd audit problems on one RHEL ES4 box

[Bill Tangren]

Steve Grubb wrote:
> On Thursday 12 April 2007 10:08, Bill Tangren wrote:
>> Any ideas what is wrong?
> 
> If auditd process is not running, you may need to delete anything with auditd 
> in its name in the /var/run directory.
> 
> -Steve
> 

After reboot, there is now nothing in /var/run with audit, or even au in the 
name. The service is stopped, and I cannot start it. Starting just fails.

I noticed that auditd stopped writing to /var/log/audit/audit.log a few hours 
before the log was rotated. Rotation failed. Auditing has since been putting its 
output in /var/log/messages, even though auditd is not running, though "ps aux" 
shows

  root      2242  0.0  0.0     0    0 ?        S<   Apr12   0:00 [kauditd]

I think the problem is that auditd cannot write to the log, but I don't know 
why. The permissions on the log seems to be the same as on other systems I run. 
The directory permission was 700, where it is 750 on other systems, but changing 
it to 750 didn't help.

Any other ideas?

Re: wierd audit problems on one RHEL ES4 box

[Steve Grubb]

On Friday 13 April 2007 10:27, Bill Tangren wrote:
> Any other ideas?

strace /sbin/auditd -f 2> strace.log

and send it to me (unless you want it on the mail list).

-Steve

RE: wierd audit problems on one RHEL ES4 box

[Kirkwood, David A.]

What are your free and admin space requirements in /etc/auditd.conf?

David A. Kirkwood
SAIC

david.a.kirkwood@saic.com
kirkwoodd@saic.com

Phone: (727) 502-8310
Fax:   (727) 822-7776

-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Bill Tangren
Sent: Friday, April 13, 2007 10:27 AM
Cc: linux-audit@redhat.com
Subject: Re: wierd audit problems on one RHEL ES4 box

Steve Grubb wrote:
> On Thursday 12 April 2007 10:08, Bill Tangren wrote:
>> Any ideas what is wrong?
> 
> If auditd process is not running, you may need to delete anything with
auditd 
> in its name in the /var/run directory.
> 
> -Steve
> 

After reboot, there is now nothing in /var/run with audit, or even au in
the 
name. The service is stopped, and I cannot start it. Starting just
fails.

I noticed that auditd stopped writing to /var/log/audit/audit.log a few
hours 
before the log was rotated. Rotation failed. Auditing has since been
putting its 
output in /var/log/messages, even though auditd is not running, though
"ps aux" 
shows

  root      2242  0.0  0.0     0    0 ?        S<   Apr12   0:00
[kauditd]

I think the problem is that auditd cannot write to the log, but I don't
know 
why. The permissions on the log seems to be the same as on other systems
I run. 
The directory permission was 700, where it is 750 on other systems, but
changing 
it to 750 didn't help.

Any other ideas?

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: wierd audit problems on one RHEL ES4 box

[Bill Tangren]

Kirkwood, David A. wrote:
> What are your free and admin space requirements in /etc/auditd.conf?
> 
> David A. Kirkwood
> SAIC
> 
> david.a.kirkwood@saic.com
> kirkwoodd@saic.com
> 


I'm an idiot. My web server logs are taking up nearly all of the space (95% 
full) on the /var/log partition. That is why auditing was suspended! I hate it 
when software does what I tell it to do, not what I want it to do...

Sorry for the trouble.