Bug 1151794 - auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
Summary: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-11 22:48 UTC by Neil
Modified: 2016-03-15 20:05 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1318043 (view as bug list)
Environment:
Last Closed: 2015-06-07 23:27:31 UTC
Type: Bug


Attachments (Terms of Use)
journalctl -b (370.99 KB, text/plain)
2014-10-13 20:21 UTC, Neil
no flags Details
2nd (185.02 KB, text/x-vhdl)
2014-10-13 23:44 UTC, Neil
no flags Details
journalctl -b -o short-monotonic --full (95.92 KB, text/x-vhdl)
2015-02-03 18:24 UTC, Neil
no flags Details
whoops missed systemd.log_level=debug on the last attach. (1.37 MB, text/x-vhdl)
2015-02-03 18:30 UTC, Neil
no flags Details

Description Neil 2014-10-11 22:48:27 UTC
$ systemctl status auditd.service 
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: failed (Result: exit-code) since sáb 2014-10-11 19:40:46 ART; 6min ago
  Process: 552 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
  Process: 551 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 551 (code=exited, status=6)

oct 11 19:40:46 infinity auditctl[552]: enabled 0
oct 11 19:40:46 infinity auditctl[552]: flag 1
oct 11 19:40:46 infinity auditctl[552]: pid 0
oct 11 19:40:46 infinity auditctl[552]: rate_limit 0
oct 11 19:40:46 infinity auditctl[552]: backlog_limit 320
oct 11 19:40:46 infinity auditctl[552]: lost 0
oct 11 19:40:46 infinity auditctl[552]: backlog 0
oct 11 19:40:46 infinity systemd[1]: Started Security Auditing Service.
oct 11 19:40:46 infinity systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
oct 11 19:40:46 infinity systemd[1]: Unit auditd.service entered failed state.


halp

Comment 1 Steve Grubb 2014-10-12 15:13:08 UTC
This is strange. What I would suggest is to start the audit daemo from the command line to see if it outputs something that is more useful. Try this as root:

/sbin/auditd -f

This will put it in debug mode where it write more info to stdout.

Comment 2 Neil 2014-10-12 21:03:05 UTC
$ /sbin/auditd -f
Config file /etc/audit/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
log_group_parser called with: root
priority_boost_parser called with: 4
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 5
qos_parser called with: lossy
dispatch_parser called with: /sbin/audispd
name_format_parser called with: NONE
max_log_size_parser called with: 6
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
krb5_principal_parser called with: auditd
Started dispatcher: /sbin/audispd pid: 2733
type=DAEMON_START msg=audit(1413147751.174:6039): auditd start, ver=2.4 format=raw kernel=3.16.4-200.fc20.x86_64 auid=1000 pid=2731 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 res=success
config_manager init complete
Init complete, auditd 2.4 listening for events (startup state enable)

Comment 3 Neil 2014-10-13 08:25:52 UTC
>I have a very strange bug that systemd I think:
>I had a bug with audit too, it failed at start, every single boot, but >everything ok with firewalld, I had this bug with firewall and I saw that >auditd.service was running ok, it seems that when firewalld works auditd doesn't >and when auditd does firewald doesn't.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1151934

after complete systemd's script without plymouth, I go directly too tty because I start my X session with a startx and xinitrc script, but I need to wait a couple of seconds, because I see that my hardisk is working on something maybe writing. (cause the led on my laptop 4328 (lenovo g470) said so) so I see that it stops after mess my tty console with some kernel messages about my broadcom 43xx wifi card, then I log in and then I start out my session (to be honest, its really slow, I don't know if its normal, I don't use any display manager only on Fedora, I use the:
if [[ ! ${DISPLAY} && ${XDG_VTNR} == 8 ]]; then
    exec startx
fi
bash script and it takes from 3 to 10 seconds to show cinnamon DE)

Comment 4 Neil 2014-10-13 08:30:27 UTC
Sorry I had a lot of errors in my drafting, I'm on some aggressive "medication".

Comment 5 Zbigniew Jędrzejewski-Szmek 2014-10-13 13:33:15 UTC
Can you attach the output from 'journalctl -b'?

Comment 6 Neil 2014-10-13 20:21:30 UTC
Created attachment 946587 [details]
journalctl -b

Comment 7 Zbigniew Jędrzejewski-Szmek 2014-10-13 23:12:44 UTC
(In reply to Duff Padmasana from comment #6)
> Created attachment 946587 [details]
> journalctl -b
Unfortunately this is garbled in a few interesting places. Please redirect the output to a file, and then attach the file (journalctl -b > /tmp/bootlog).

This seems to be unrelated to systemd itself. For whatever reason auditd exits and returns 6.

Comment 8 Neil 2014-10-13 23:44:27 UTC
Created attachment 946626 [details]
2nd

Comment 9 Steve Grubb 2014-10-18 15:40:29 UTC
There is only 1 way to get return code of 6 and that is if something is seriously wrong in the daemon config file. That always results in a message saying why it failed except in one or two cases where you are out of memory. I would find it hard to believe that is what's happening. Also. the two attachments show it working fine. The manual startup also shows it working fine.

Does it always exit with return code 6 or just one time?

Comment 10 Zbigniew Jędrzejewski-Szmek 2014-10-18 19:45:44 UTC
It seems that there's something wrong with selinux, maybe outdated policy or mislabelled filesystem?

oct 13 20:35:21 infinity setroubleshoot[675]: Unable to add audit event: node=infinity type=AVC msg=audit(1413243314.293:24): avc:  denied  { search } for  pid=379 comm="systemd-readahe" name="netfilter" dev="sda3" ino=681037 scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0
                                               
                                              **** Invalid AVC allowed in current policy ***

But anyway, in the log you attached, audit starts and runs just fine afaics.

Comment 11 Neil 2014-10-20 21:37:25 UTC
(In reply to Steve Grubb from comment #9)
> Does it always exit with return code 6 or just one time?
Always.

Comment 12 Neil 2014-10-20 21:39:42 UTC
(In reply to Zbigniew Jędrzejewski-Szmek from comment #10)
> But anyway, in the log you attached, audit starts and runs just fine afaics.

that means that even if "$ systemctl list-units" says that isn't running, and isn't active, is running a'ight?

Comment 13 Zbigniew Jędrzejewski-Szmek 2014-10-20 21:44:19 UTC
(In reply to Duff Padmasana from comment #12)
> (In reply to Zbigniew Jędrzejewski-Szmek from comment #10)
> > But anyway, in the log you attached, audit starts and runs just fine afaics.
> 
> that means that even if "$ systemctl list-units" says that isn't running,
> and isn't active, is running a'ight?
No, it most likely means that the logs is from a different boot, or that audit was stopped later on, after the time shown in the log.

Comment 14 Neil 2015-01-22 18:56:20 UTC
[root@infinity duff]# systemctl status auditd.service -l
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: failed (Result: exit-code) since jue 2015-01-22 12:48:42 COT; 1h 7min ago
  Process: 567 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
  Process: 566 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 566 (code=exited, status=6)

ene 22 12:48:42 infinity systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
ene 22 12:48:42 infinity auditctl[567]: No rules
ene 22 12:48:42 infinity systemd[1]: Failed to start Security Auditing Service.
ene 22 12:48:42 infinity systemd[1]: Unit auditd.service entered failed state.
ene 22 12:48:42 infinity systemd[1]: auditd.service failed


it keeps happening.

Comment 15 Neil 2015-01-29 17:10:19 UTC
I just installed Fedora 21 from scratch (minimal install) and installed my DE, X server, drivers, etc, from scratch, and audit always worked, just disabled some services from systemd (like Bluetooth since I don't have any bluetooth device) and some others, then I used dracut -f, and audit started to "ExecStart=/sbin/auditd -n (code=exited, status=6)" again.

Comment 16 Neil 2015-01-31 19:12:40 UTC
Fresh updated install, Fedora 21 with Cinnamon.

audit running OK.

$ dracut --regenerate-all --force

reboot

$ systemctl status auditd.service 
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: failed (Result: exit-code) since sáb 2015-01-31 14:07:12 COT; 4min 39s ago
  Process: 575 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
  Process: 574 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 574 (code=exited, status=6)

ene 31 14:07:12 infinity systemd[1]: auditd.service: main process exited, code=exited, status...URED
ene 31 14:07:12 infinity auditctl[575]: No rules
ene 31 14:07:12 infinity systemd[1]: Failed to start Security Auditing Service.
ene 31 14:07:12 infinity systemd[1]: Unit auditd.service entered failed state.
ene 31 14:07:12 infinity systemd[1]: auditd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

Comment 17 Harald Hoyer 2015-02-03 10:37:03 UTC
please add "systemd.log_level=debug" to the kernel command line, reboot and then attach the output of:
# journalctl -b -o short-monotonic --full

Comment 18 Neil 2015-02-03 18:24:47 UTC
Created attachment 987728 [details]
journalctl -b -o short-monotonic --full

Comment 19 Neil 2015-02-03 18:30:18 UTC
Created attachment 987742 [details]
whoops missed systemd.log_level=debug on the last attach.

Comment 20 Steve Grubb 2015-02-05 14:16:28 UTC
I see this in the logs:

[] infinity auditd[572]: Could not open dir /var/log/audit (No such file or directory)
[] infinity auditd[572]: The audit daemon is exiting.

So...something is not creating the /var/log/audit.

Comment 21 Neil 2015-02-05 18:47:15 UTC
I had this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1149518 a few months ago, maybe it can help.

Comment 22 dsp3 2015-02-07 08:31:01 UTC
I am seeing similar behavior:

[   25.781270] fedora21-local auditd[1031]: Could not open dir /var/log/audit (No such file or directory)
[   25.781401] fedora21-local auditd[1031]: The audit daemon is exiting.
[   25.782089] fedora21-local systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
[   25.802794] fedora21-local auditctl[1032]: No rules
[   25.802994] fedora21-local auditctl[1032]: enabled 0
[   25.803172] fedora21-local auditctl[1032]: flag 1
[   25.803347] fedora21-local auditctl[1032]: pid 0
[   25.803503] fedora21-local auditctl[1032]: rate_limit 0
[   25.803667] fedora21-local auditctl[1032]: backlog_limit 320
[   25.803734] fedora21-local auditctl[1032]: lost 0
[   25.803789] fedora21-local auditctl[1032]: backlog 0
[   25.803841] fedora21-local auditctl[1032]: backlog_wait_time 60000
[   25.804016] fedora21-local systemd[1]: Failed to start Security Auditing Service.
[   25.804153] fedora21-local systemd[1]: Unit auditd.service entered failed state.
[   25.804282] fedora21-local systemd[1]: auditd.service failed.

Comment 23 dsp3 2015-02-07 09:28:11 UTC
mkdir /var/log/audit
restorecon /var/log/audit
ls -ld /var/log/audit
drwxr-xr-x. 2 root root 40 Feb  7 12:25 /var/log/audit

Reboot and directory is deleted.

Comment 24 Zbigniew Jędrzejewski-Szmek 2015-02-07 16:43:57 UTC
In the log in #c19, auditd.service is started after switch root. If fails because:
[   36.889758] infinity auditd[572]: Could not open dir /var/log/audit (No such file or directory)

I don't think dracut is involved here.

Comment 25 Neil 2015-02-07 18:14:10 UTC
But why it happens when regenerating initramfs with dracut?

Comment 26 Steve Grubb 2015-02-09 15:04:22 UTC
Well, this is also not an audit problem. The audit rpm packages a /var/log/audit/ directory. In its service file, it has the following:

After=local-fs.target systemd-tmpfiles-setup.service

so that systemd has plenty of time to make the directory available. Are the systems having this problem bare metal regular Fedora or using atomic or containers or something exotic? That might help figuring out why the logging directory is missing.

Comment 27 Neil 2015-02-22 04:42:01 UTC
I tested this on a Cinnamon install (with netinstall iso) and an Minimal install, haven't tested on GNOME default iso.

Comment 28 Neil 2015-03-08 00:54:30 UTC
audit now works after delete /boot/initramfs-3.xx.xx.fc21.x86_64.img and run dracut without -r.

Comment 29 Flo H. 2016-03-15 20:05:50 UTC
Same problem here on Fedora 22 (Gnome) with kernel 4.4.4-200.fc22.x86_64.

● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2016-03-15 14:35:20 EDT; 33min ago
  Process: 1076 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
  Process: 1075 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 1075 (code=exited, status=6)

systemd[1]: Starting Security Auditing Service...
auditctl[1076]: No rules
systemd[1]: Started Security Auditing Service.
auditd[1075]: Could not open dir /var/log/audit (No such file or directory)
auditd[1075]: The audit daemon is exiting.
systemd[1]: auditd.service: main process exited, code=exited, 
status=6/NOTCONFIGURED
systemd[1]: Unit auditd.service entered failed state.


/etc/audit/audit.rules looks like this:
-D
-a task, never


Note You need to log in before you can comment on or make changes to this bug.