Bug 207438 - Audit refusing to work as expected
Audit refusing to work as expected
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: audit (Show other bugs)
5
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-20 23:51 EDT by david walcroft
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-25 06:14:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description david walcroft 2006-09-20 23:51:12 EDT
Description of problem:
Cannot get audit to run properly

Version-Release number of selected component (if applicable):1.1.5-1


How reproducible: reboot computer or restart by using /sbin/services/auditd


Steps to Reproduce:
1.
2.
3.
  
Actual results: no reult


Expected results: Avec files log to /var/log/audit/auditd.log


Additional info:execve("/sbin/auditd", ["auditd"], [/* 19 vars */]) = 0
brk(0)                                  = 0x9825000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fdb000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=113366, ...}) = 0
mmap2(NULL, 113366, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fbf000
close(3)                                = 0
open("/lib/libpthread.so.0", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\232"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=112148, ...}) = 0
mmap2(NULL, 78268, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xde8000
mmap2(0xdf8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,
3, 0xf) = 0xdf8000
mmap2(0xdfa000, 4540, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0xdfa000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\nVqG4\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1532528, ...}) = 0
mmap2(NULL, 1254812, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x8c0000
mmap2(0x9ed000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12d) = 0x9ed000
mmap2(0x9f0000, 9628, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x9f0000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fbe000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fbe6c0, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
mprotect(0x9ed000, 8192, PROT_READ)     = 0
mprotect(0xdf8000, 4096, PROT_READ)     = 0
mprotect(0xe97000, 4096, PROT_READ)     = 0
munmap(0xb7fbf000, 113366)              = 0
set_tid_address(0xb7fbe708)             = 13572
sendto(-1208228080, ptrace: umoven: Input/output error
0xc, 14651380,
MSG_EOR|MSG_ERRQUEUE|MSG_DONTWAIT|MSG_FIN|MSG_SYN|MSG_NOSIGNAL|MSG_MORE|0xb7fb0000,
{sa_family=AF_DECnet, sa_data="\0\0\304\220\231G\r\0\0\0\304 \232G"},
3217340120) = 0
rt_sigaction(SIGRTMIN, {0xdec66b, [], SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0xdec5a0, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfc4b430, 31, (nil), 0}) = 0
umask(077)                              = 022
umask(022)                              = 077
getuid32()                              = 0
rt_sigaction(SIG_0, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument)
rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGILL, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTRAP, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGABRT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGBUS, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGFPE, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGKILL, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument)
rt_sigaction(SIGUSR1, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGUSR2, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGALRM, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSTKFLT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGCHLD, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGCONT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSTOP, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument)
rt_sigaction(SIGTSTP, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTTIN, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTTOU, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGURG, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGXCPU, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGXFSZ, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGVTALRM, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGPROF, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGWINCH, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGIO, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGPWR, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSYS, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_2, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_3, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_4, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_5, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_6, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_7, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_8, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_9, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_10, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_11, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_12, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_13, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_14, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_15, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_16, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_17, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_18, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_19, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_20, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_21, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_22, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_23, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_24, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_25, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_26, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_27, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_28, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_29, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_30, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_31, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_32, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTERM, {0xaf22c0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGHUP, {0xaf22e0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGUSR1, {0xaf2300, [], 0}, NULL, 8) = 0
rt_sigaction(SIGUSR2, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGCHLD, {0xaf24d0, [], 0}, NULL, 8) = 0
setrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0
setrlimit(RLIMIT_CPU, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0
brk(0)                                  = 0x9825000
brk(0x9846000)                          = 0x9846000
open("/etc/auditd.conf", O_RDONLY|O_NOFOLLOW) = 3
fstat64(3, {st_mode=S_IFREG|0640, st_size=432, ...}) = 0
fcntl64(3, F_GETFL)                     = 0x20000 (flags O_RDONLY|O_NOFOLLOW)
fstat64(3, {st_mode=S_IFREG|0640, st_size=432, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fda000
_llseek(3, 0, [0], SEEK_CUR)            = 0
read(3, "#\n# This file controls the confi"..., 4096) = 432
open("/var/log/audit", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = -1 ENOTDIR
(Not a directory)
time(NULL)                              = 1158810051
open("/etc/localtime", O_RDONLY)        = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fd9000
read(4, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0"..., 4096) = 160
close(4)                                = 0
munmap(0xb7fd9000, 4096)                = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 4
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
connect(4, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
send(4, "<11>Sep 21 13:40:51 auditd: Coul"..., 79, MSG_NOSIGNAL) = 79
close(3)                                = 0
munmap(0xb7fda000, 4096)                = 0
time(NULL)                              = 1158810051
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
send(4, "<14>Sep 21 13:40:51 auditd: The "..., 56, MSG_NOSIGNAL) = 56
unlink("/var/run/auditd.pid")           = -1 ENOENT (No such file or directory)
close(4)                                = 0
exit_group(6)                           = ?
Process 13572 detached
[david@reddwarf ~]$
Comment 1 Steve Grubb 2006-09-21 08:46:19 EDT
It probably would have been better to look in syslog to see what was being
reported. In any event, this line seems to show the problem:

>open("/var/log/audit", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = -1
> ENOTDIR (Not a directory)

I have the new package installed and find this:

[root ~]# rpm -ql audit | grep log
/var/log/audit
[root ~]# rpm -qf /var/log/audit
audit-1.2.7-4.fc5

Something happened to your /var/log/audit directory. Could you check on this and
see if it exists and maybe make the directory? The audit rpm package was the
owner and should have made it at installation.
Comment 2 david walcroft 2006-09-21 19:51:39 EDT
Yes 'Audit' exists :- -rw-r--r-- 1 root root 0 Apr 23 15:05 /var/log/audit
Comment 3 Steve Grubb 2006-09-23 09:25:31 EDT
The above seems to indicate that /var/log/audit is a file and not a directory. I
have no idea how this could happen. You should:

rm /var/log/audit
mkdir /var/log/audit
chmod 0660 /var/log/audit
service auditd restart

Comment 4 Steve Grubb 2006-09-23 09:26:50 EDT
You might need to do restorecon /var/log/audit before starting the audit daemon
in the above corrective action.
Comment 5 david walcroft 2006-09-23 21:44:56 EDT
Restarting Audit failed
Comment 6 Steve Grubb 2006-09-24 07:34:59 EDT
Syslog messages? Also did you do the steps I asked?
Comment 7 Steve Grubb 2006-09-24 07:37:40 EDT
This should fix it:

rm /var/log/audit
mkdir /var/log/audit
chmod 0750 /var/log/audit
restorecon /var/log/audit
service auditd restart
Comment 8 david walcroft 2006-09-25 00:44:21 EDT
I used the sequence above and this the last two lines from tail /var/log/messages.

Sep 25 14:38:52 reddwarf kernel: audit(1159159132.585:340): audit_pid=4593 old=0
by auid=4294967295 subj=user_u:system_r:auditd_t:s0
Sep 25 14:38:52 reddwarf auditd[4593]: Init complete, auditd 1.2.7 listening for
events

less /var/log/audit/audit.log
audtype=DAEMON_START msg=audit(1159159132.587:4914) auditd start, ver=1.2.7,
format=raw, auid=4294967295 pid=4593 res=success, a
uditd pid=45
type=CONFIG_CHANGE msg=audit(1159159132.685:341): audit_enabled=1 old=0 by
auid=4294967295 subj=user_u:system_r:auditd_t:s0
type=CONFIG_CHANGE msg=audit(1159159132.693:342): audit_backlog_limit=256
old=256 by auid=4294967295 subj=user_u:system_r:aud
itctl_t:s0
it.log
Comment 9 Steve Grubb 2006-09-25 06:14:54 EDT
ok, looks like you are in business. No idea how that directory became a file,
but that was the problem. Let me know if I can be of further assistance.
Comment 10 david walcroft 2006-09-25 20:01:16 EDT
It was not a file but a directory, used rm -rf to remove not as your first line
"rm /var/log/audit".

Note You need to log in before you can comment on or make changes to this bug.