auditd fails to start when rules and conf file are symbolic links

auditd fails to start when rules and conf file are symbolic links

[Smith, Steven G (Steven)]

Hey everyone,

I'm seeing some strange behavior when attempting to start the auditd
daemon.  When I make the /etc/audit.rules and /etc/auditd.conf files
symbolic links, the service fails saying that it cannot open
/etc/audit.rules because of too many levels of symbolic links:

[root@bling etc]# ll /etc/audit*
lrwxrwxrwx  1 root root 25 Nov  7 08:22 /etc/auditd.conf ->
/diskroot/etc/auditd.conf
lrwxrwxrwx  1 root root 25 Nov  7 08:22 /etc/audit.rules ->
/diskroot/etc/audit.rules
[root@bling etc]# service auditd start
Starting auditd:
Error opening /etc/audit.rules (Too many levels of symbolic links)
[root@acidsnowflake etc]#

Note that there is nothing special about this particular diskroot
directory (i.e. there are no other symbolic links involved).  If I
remove the symbolic links, the service works fine.  The problem is that
I need to have the links there for various reasons.  Is this a bug in
auditd, or did I do something stupid?

One last note, if I vi the file via the symbolic link, it works fine,
which leads me to believe that this is more likely something wrong in
the startup sequence or auditd itself (although I couldn't see any
issues that stood out to me).  

Thanks,
Steve

Re: auditd fails to start when rules and conf file are symbolic links

[Steve Grubb]

On Tuesday 07 November 2006 11:23, Smith, Steven G (Steven) wrote:
>  The problem is that I need to have the links there for various reasons.  Is
>  this a bug in auditd, or did I do something stupid?

This message is coming from auditctl. Have you tried using bind mounts instead 
of symlinks?

-Steve

RE: auditd fails to start when rules and conf file are symbolic links

[Boyce, Kevin P. (Melbourne, FL)]

Have you tried making hard links to the files just to see if that works?



Kevin Boyce
Northrop Grumman Corp.
2000 W. Nasa Blvd. D01/222 
Melbourne, Fl. 32902

kevin.boyce@ngc.com

-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Smith, Steven G
(Steven)
Sent: Tuesday, November 07, 2006 11:23 AM
To: linux-audit@redhat.com
Subject: auditd fails to start when rules and conf file are symbolic
links

Hey everyone,

I'm seeing some strange behavior when attempting to start the auditd
daemon.  When I make the /etc/audit.rules and /etc/auditd.conf files
symbolic links, the service fails saying that it cannot open
/etc/audit.rules because of too many levels of symbolic links:

[root@bling etc]# ll /etc/audit*
lrwxrwxrwx  1 root root 25 Nov  7 08:22 /etc/auditd.conf ->
/diskroot/etc/auditd.conf lrwxrwxrwx  1 root root 25 Nov  7 08:22
/etc/audit.rules -> /diskroot/etc/audit.rules [root@bling etc]# service
auditd start Starting auditd:
Error opening /etc/audit.rules (Too many levels of symbolic links)
[root@acidsnowflake etc]#

Note that there is nothing special about this particular diskroot
directory (i.e. there are no other symbolic links involved).  If I
remove the symbolic links, the service works fine.  The problem is that
I need to have the links there for various reasons.  Is this a bug in
auditd, or did I do something stupid?

One last note, if I vi the file via the symbolic link, it works fine,
which leads me to believe that this is more likely something wrong in
the startup sequence or auditd itself (although I couldn't see any
issues that stood out to me).  

Thanks,
Steve



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit