$ systemctl status auditd.service auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) Active: failed (Result: exit-code) since sáb 2014-10-11 19:40:46 ART; 6min ago Process: 552 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) Process: 551 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 551 (code=exited, status=6) oct 11 19:40:46 infinity auditctl[552]: enabled 0 oct 11 19:40:46 infinity auditctl[552]: flag 1 oct 11 19:40:46 infinity auditctl[552]: pid 0 oct 11 19:40:46 infinity auditctl[552]: rate_limit 0 oct 11 19:40:46 infinity auditctl[552]: backlog_limit 320 oct 11 19:40:46 infinity auditctl[552]: lost 0 oct 11 19:40:46 infinity auditctl[552]: backlog 0 oct 11 19:40:46 infinity systemd[1]: Started Security Auditing Service. oct 11 19:40:46 infinity systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED oct 11 19:40:46 infinity systemd[1]: Unit auditd.service entered failed state. halp
This is strange. What I would suggest is to start the audit daemo from the command line to see if it outputs something that is more useful. Try this as root: /sbin/auditd -f This will put it in debug mode where it write more info to stdout.
$ /sbin/auditd -f Config file /etc/audit/auditd.conf opened for parsing log_file_parser called with: /var/log/audit/audit.log log_format_parser called with: RAW log_group_parser called with: root priority_boost_parser called with: 4 flush_parser called with: INCREMENTAL freq_parser called with: 20 num_logs_parser called with: 5 qos_parser called with: lossy dispatch_parser called with: /sbin/audispd name_format_parser called with: NONE max_log_size_parser called with: 6 max_log_size_action_parser called with: ROTATE space_left_parser called with: 75 space_action_parser called with: SYSLOG action_mail_acct_parser called with: root admin_space_left_parser called with: 50 admin_space_left_action_parser called with: SUSPEND disk_full_action_parser called with: SUSPEND disk_error_action_parser called with: SUSPEND tcp_listen_queue_parser called with: 5 tcp_max_per_addr_parser called with: 1 tcp_client_max_idle_parser called with: 0 enable_krb5_parser called with: no krb5_principal_parser called with: auditd Started dispatcher: /sbin/audispd pid: 2733 type=DAEMON_START msg=audit(1413147751.174:6039): auditd start, ver=2.4 format=raw kernel=3.16.4-200.fc20.x86_64 auid=1000 pid=2731 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 res=success config_manager init complete Init complete, auditd 2.4 listening for events (startup state enable)
>I have a very strange bug that systemd I think: >I had a bug with audit too, it failed at start, every single boot, but >everything ok with firewalld, I had this bug with firewall and I saw that >auditd.service was running ok, it seems that when firewalld works auditd doesn't >and when auditd does firewald doesn't. See: https://bugzilla.redhat.com/show_bug.cgi?id=1151934 after complete systemd's script without plymouth, I go directly too tty because I start my X session with a startx and xinitrc script, but I need to wait a couple of seconds, because I see that my hardisk is working on something maybe writing. (cause the led on my laptop 4328 (lenovo g470) said so) so I see that it stops after mess my tty console with some kernel messages about my broadcom 43xx wifi card, then I log in and then I start out my session (to be honest, its really slow, I don't know if its normal, I don't use any display manager only on Fedora, I use the: if [[ ! ${DISPLAY} && ${XDG_VTNR} == 8 ]]; then exec startx fi bash script and it takes from 3 to 10 seconds to show cinnamon DE)
Sorry I had a lot of errors in my drafting, I'm on some aggressive "medication".
Can you attach the output from 'journalctl -b'?
Created attachment 946587 [details] journalctl -b
(In reply to Duff Padmasana from comment #6) > Created attachment 946587 [details] > journalctl -b Unfortunately this is garbled in a few interesting places. Please redirect the output to a file, and then attach the file (journalctl -b > /tmp/bootlog). This seems to be unrelated to systemd itself. For whatever reason auditd exits and returns 6.
Created attachment 946626 [details] 2nd
There is only 1 way to get return code of 6 and that is if something is seriously wrong in the daemon config file. That always results in a message saying why it failed except in one or two cases where you are out of memory. I would find it hard to believe that is what's happening. Also. the two attachments show it working fine. The manual startup also shows it working fine. Does it always exit with return code 6 or just one time?
It seems that there's something wrong with selinux, maybe outdated policy or mislabelled filesystem? oct 13 20:35:21 infinity setroubleshoot[675]: Unable to add audit event: node=infinity type=AVC msg=audit(1413243314.293:24): avc: denied { search } for pid=379 comm="systemd-readahe" name="netfilter" dev="sda3" ino=681037 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0 **** Invalid AVC allowed in current policy *** But anyway, in the log you attached, audit starts and runs just fine afaics.
(In reply to Steve Grubb from comment #9) > Does it always exit with return code 6 or just one time? Always.
(In reply to Zbigniew Jędrzejewski-Szmek from comment #10) > But anyway, in the log you attached, audit starts and runs just fine afaics. that means that even if "$ systemctl list-units" says that isn't running, and isn't active, is running a'ight?
(In reply to Duff Padmasana from comment #12) > (In reply to Zbigniew Jędrzejewski-Szmek from comment #10) > > But anyway, in the log you attached, audit starts and runs just fine afaics. > > that means that even if "$ systemctl list-units" says that isn't running, > and isn't active, is running a'ight? No, it most likely means that the logs is from a different boot, or that audit was stopped later on, after the time shown in the log.
[root@infinity duff]# systemctl status auditd.service -l ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) Active: failed (Result: exit-code) since jue 2015-01-22 12:48:42 COT; 1h 7min ago Process: 567 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) Process: 566 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 566 (code=exited, status=6) ene 22 12:48:42 infinity systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED ene 22 12:48:42 infinity auditctl[567]: No rules ene 22 12:48:42 infinity systemd[1]: Failed to start Security Auditing Service. ene 22 12:48:42 infinity systemd[1]: Unit auditd.service entered failed state. ene 22 12:48:42 infinity systemd[1]: auditd.service failed it keeps happening.
I just installed Fedora 21 from scratch (minimal install) and installed my DE, X server, drivers, etc, from scratch, and audit always worked, just disabled some services from systemd (like Bluetooth since I don't have any bluetooth device) and some others, then I used dracut -f, and audit started to "ExecStart=/sbin/auditd -n (code=exited, status=6)" again.
Fresh updated install, Fedora 21 with Cinnamon. audit running OK. $ dracut --regenerate-all --force reboot $ systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) Active: failed (Result: exit-code) since sáb 2015-01-31 14:07:12 COT; 4min 39s ago Process: 575 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) Process: 574 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 574 (code=exited, status=6) ene 31 14:07:12 infinity systemd[1]: auditd.service: main process exited, code=exited, status...URED ene 31 14:07:12 infinity auditctl[575]: No rules ene 31 14:07:12 infinity systemd[1]: Failed to start Security Auditing Service. ene 31 14:07:12 infinity systemd[1]: Unit auditd.service entered failed state. ene 31 14:07:12 infinity systemd[1]: auditd.service failed. Hint: Some lines were ellipsized, use -l to show in full.
please add "systemd.log_level=debug" to the kernel command line, reboot and then attach the output of: # journalctl -b -o short-monotonic --full
Created attachment 987728 [details] journalctl -b -o short-monotonic --full
Created attachment 987742 [details] whoops missed systemd.log_level=debug on the last attach.
I see this in the logs: [] infinity auditd[572]: Could not open dir /var/log/audit (No such file or directory) [] infinity auditd[572]: The audit daemon is exiting. So...something is not creating the /var/log/audit.
I had this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1149518 a few months ago, maybe it can help.
I am seeing similar behavior: [ 25.781270] fedora21-local auditd[1031]: Could not open dir /var/log/audit (No such file or directory) [ 25.781401] fedora21-local auditd[1031]: The audit daemon is exiting. [ 25.782089] fedora21-local systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED [ 25.802794] fedora21-local auditctl[1032]: No rules [ 25.802994] fedora21-local auditctl[1032]: enabled 0 [ 25.803172] fedora21-local auditctl[1032]: flag 1 [ 25.803347] fedora21-local auditctl[1032]: pid 0 [ 25.803503] fedora21-local auditctl[1032]: rate_limit 0 [ 25.803667] fedora21-local auditctl[1032]: backlog_limit 320 [ 25.803734] fedora21-local auditctl[1032]: lost 0 [ 25.803789] fedora21-local auditctl[1032]: backlog 0 [ 25.803841] fedora21-local auditctl[1032]: backlog_wait_time 60000 [ 25.804016] fedora21-local systemd[1]: Failed to start Security Auditing Service. [ 25.804153] fedora21-local systemd[1]: Unit auditd.service entered failed state. [ 25.804282] fedora21-local systemd[1]: auditd.service failed.
mkdir /var/log/audit restorecon /var/log/audit ls -ld /var/log/audit drwxr-xr-x. 2 root root 40 Feb 7 12:25 /var/log/audit Reboot and directory is deleted.
In the log in #c19, auditd.service is started after switch root. If fails because: [ 36.889758] infinity auditd[572]: Could not open dir /var/log/audit (No such file or directory) I don't think dracut is involved here.
But why it happens when regenerating initramfs with dracut?
Well, this is also not an audit problem. The audit rpm packages a /var/log/audit/ directory. In its service file, it has the following: After=local-fs.target systemd-tmpfiles-setup.service so that systemd has plenty of time to make the directory available. Are the systems having this problem bare metal regular Fedora or using atomic or containers or something exotic? That might help figuring out why the logging directory is missing.
I tested this on a Cinnamon install (with netinstall iso) and an Minimal install, haven't tested on GNOME default iso.
audit now works after delete /boot/initramfs-3.xx.xx.fc21.x86_64.img and run dracut without -r.
Same problem here on Fedora 22 (Gnome) with kernel 4.4.4-200.fc22.x86_64. ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Tue 2016-03-15 14:35:20 EDT; 33min ago Process: 1076 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) Process: 1075 ExecStart=/sbin/auditd -n (code=exited, status=6) Main PID: 1075 (code=exited, status=6) systemd[1]: Starting Security Auditing Service... auditctl[1076]: No rules systemd[1]: Started Security Auditing Service. auditd[1075]: Could not open dir /var/log/audit (No such file or directory) auditd[1075]: The audit daemon is exiting. systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED systemd[1]: Unit auditd.service entered failed state. /etc/audit/audit.rules looks like this: -D -a task, never