From: Steve Grubb <sgrubb@redhat.com>
To: zhu xiuming <xiumingzhu@gmail.com>
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: Re: auditd start failure
Date: Fri, 16 Aug 2013 14:53:25 -0400 [thread overview]
Message-ID: <3088912.ENnoUt3dQi@x2> (raw)
In-Reply-To: <CAP6dAmcK4+-9YexiFGK0SC0u4cfP-Nft0a4RCVFrDv5ERDxTQg@mail.gmail.com>
On Friday, August 16, 2013 11:48:37 AM zhu xiuming wrote:
> Thanks you so much for the quick response. I just want to send out this
> email. Because I use auditd -f to find out it was still the permission
> issue of audit.log.
>
> What I wanted to do is let someone else able to read the audit.log other
> than root. Should I change the log_group setting ?
Yes.
> It seems audit.log permission is 0600. Only root can read it.
You should create a group for reading audit logs and add the user to it. You
may need to change the group on the log files initially and chmod them to 0640.
But auditd will correctly set the permission and group on all future files.
-Steve
> On Fri, Aug 16, 2013 at 11:43 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
> > > HI
> > > Suddently, my auditd can't start. I do not know why.
> > > I remember I changed some permission settings on /var/log/audit.
> > > However,
> > > even I change it back, the auditd cann't be started.
> > >
> > > I looked at the audit.log. It only shows the daemon is closed
> >
> > successfully
> >
> > > I wonder whether there is other log file I should look.
> >
> > Its writes failure messages to /var/log/messages. I sometimes
> > troubleshoot
> > issues by starting the daemon by hand in the foreground mode so that
> > everything is written to the screen. /sbin/auditd -f
> >
> > -Steve
prev parent reply other threads:[~2013-08-16 18:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-16 18:38 auditd start failure zhu xiuming
2013-08-16 18:43 ` Steve Grubb
2013-08-16 18:48 ` zhu xiuming
2013-08-16 18:53 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3088912.ENnoUt3dQi@x2 \
--to=sgrubb@redhat.com \
--cc=Linux-audit@redhat.com \
--cc=xiumingzhu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).