From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auditd fails to start on FC6 system, newer kernels effect? Date: Wed, 21 Nov 2007 07:01:52 -0500 Message-ID: <200711210701.53255.sgrubb@redhat.com> References: <200711170431.17700.gene.heskett@verizon.net> <1195496605.7546.115.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1195496605.7546.115.camel@moss-spartans.epoch.ncsc.mil> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi, Just a quick update on this in case any one was curious...turns out that the audit system was not in his kernel config. Its working now. -Steve On Monday 19 November 2007 01:23:25 pm Stephen Smalley wrote: > On Sat, 2007-11-17 at 04:31 -0500, Gene Heskett wrote: > > Greetings; > > > > FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I > > re-enabled selinux in permissive mode just to see what complained. > > > > The manpage says to use the -f option for foreground troubleshooting, so > > here goes: > > > > [root@coyote linux-2.6.24-rc3]# man auditd > > [root@coyote linux-2.6.24-rc3]# which auditd > > /sbin/auditd > > [root@coyote linux-2.6.24-rc3]# auditd -f > > Config file /etc/audit/auditd.conf opened for parsing > > log_file_parser called with: /var/log/audit/audit.log > > log_format_parser called with: RAW > > priority_boost_parser called with: 3 > > flush_parser called with: INCREMENTAL > > freq_parser called with: 20 > > num_logs_parser called with: 4 > > dispatch_parser called with: /sbin/audispd > > qos_parser called with: lossy > > max_log_size_parser called with: 5 > > max_log_size_action_parser called with: ROTATE > > space_left_parser called with: 75 > > space_action_parser called with: SYSLOG > > action_mail_acct_parser called with: root > > admin_space_left_parser called with: 50 > > admin_space_left_action_parser called with: SUSPEND > > disk_full_action_parser called with: SUSPEND > > disk_error_action_parser called with: SUSPEND > > Started dispatcher: /sbin/audispd pid: 7828 > > type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2, > > format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824 > > config_manager init complete > > Error setting audit daemon pid (Connection refused) > > type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt, > > auid=4294967295 pid=7824 res=failed, auditd pid=7824 > > Unable to set audit pid, exiting > > The audit daemon is exiting. > > Error setting audit daemon pid (Connection refused) > > [root@coyote linux-2.6.24-rc3]# > > > > Connection refused sounds as if something else isn't running that should > > be, but no direct clue, so what else needs to run too, before auditd? > > More of a question for linux-audit (cc'd). Offhand, I'd guess that the > ECONNREFUSED is coming from the netlink code, but I don't know why. > Running it under strace might be illuminating.