207438 – Audit refusing to work as expected

Bug 207438 - Audit refusing to work as expected

Summary: Audit refusing to work as expected

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	audit
Sub Component:
Version:	5
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Steve Grubb
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-09-21 03:51 UTC by david walcroft
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-09-25 10:14:54 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description david walcroft 2006-09-21 03:51:12 UTC

Description of problem:
Cannot get audit to run properly

Version-Release number of selected component (if applicable):1.1.5-1


How reproducible: reboot computer or restart by using /sbin/services/auditd


Steps to Reproduce:
1.
2.
3.
  
Actual results: no reult


Expected results: Avec files log to /var/log/audit/auditd.log


Additional info:execve("/sbin/auditd", ["auditd"], [/* 19 vars */]) = 0
brk(0)                                  = 0x9825000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fdb000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=113366, ...}) = 0
mmap2(NULL, 113366, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fbf000
close(3)                                = 0
open("/lib/libpthread.so.0", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\232"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=112148, ...}) = 0
mmap2(NULL, 78268, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xde8000
mmap2(0xdf8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE,
3, 0xf) = 0xdf8000
mmap2(0xdfa000, 4540, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0xdfa000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\nVqG4\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1532528, ...}) = 0
mmap2(NULL, 1254812, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x8c0000
mmap2(0x9ed000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12d) = 0x9ed000
mmap2(0x9f0000, 9628, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x9f0000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fbe000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fbe6c0, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0,
useable:1}) = 0
mprotect(0x9ed000, 8192, PROT_READ)     = 0
mprotect(0xdf8000, 4096, PROT_READ)     = 0
mprotect(0xe97000, 4096, PROT_READ)     = 0
munmap(0xb7fbf000, 113366)              = 0
set_tid_address(0xb7fbe708)             = 13572
sendto(-1208228080, ptrace: umoven: Input/output error
0xc, 14651380,
MSG_EOR|MSG_ERRQUEUE|MSG_DONTWAIT|MSG_FIN|MSG_SYN|MSG_NOSIGNAL|MSG_MORE|0xb7fb0000,
{sa_family=AF_DECnet, sa_data="\0\0\304\220\231G\r\0\0\0\304 \232G"},
3217340120) = 0
rt_sigaction(SIGRTMIN, {0xdec66b, [], SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0xdec5a0, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
_sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfc4b430, 31, (nil), 0}) = 0
umask(077)                              = 022
umask(022)                              = 077
getuid32()                              = 0
rt_sigaction(SIG_0, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument)
rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGILL, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTRAP, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGABRT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGBUS, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGFPE, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGKILL, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument)
rt_sigaction(SIGUSR1, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGUSR2, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGALRM, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSTKFLT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGCHLD, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGCONT, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSTOP, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument)
rt_sigaction(SIGTSTP, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTTIN, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTTOU, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGURG, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGXCPU, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGXFSZ, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGVTALRM, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGPROF, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGWINCH, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGIO, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGPWR, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGSYS, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_2, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_3, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_4, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_5, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_6, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_7, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_8, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_9, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_10, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_11, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_12, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_13, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_14, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_15, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_16, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_17, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_18, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_19, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_20, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_21, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_22, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_23, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_24, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_25, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_26, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_27, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_28, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_29, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_30, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_31, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGRT_32, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGTERM, {0xaf22c0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGHUP, {0xaf22e0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGUSR1, {0xaf2300, [], 0}, NULL, 8) = 0
rt_sigaction(SIGUSR2, {SIG_IGN}, NULL, 8) = 0
rt_sigaction(SIGCHLD, {0xaf24d0, [], 0}, NULL, 8) = 0
setrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0
setrlimit(RLIMIT_CPU, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0
brk(0)                                  = 0x9825000
brk(0x9846000)                          = 0x9846000
open("/etc/auditd.conf", O_RDONLY|O_NOFOLLOW) = 3
fstat64(3, {st_mode=S_IFREG|0640, st_size=432, ...}) = 0
fcntl64(3, F_GETFL)                     = 0x20000 (flags O_RDONLY|O_NOFOLLOW)
fstat64(3, {st_mode=S_IFREG|0640, st_size=432, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fda000
_llseek(3, 0, [0], SEEK_CUR)            = 0
read(3, "#\n# This file controls the confi"..., 4096) = 432
open("/var/log/audit", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = -1 ENOTDIR
(Not a directory)
time(NULL)                              = 1158810051
open("/etc/localtime", O_RDONLY)        = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7fd9000
read(4, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0"..., 4096) = 160
close(4)                                = 0
munmap(0xb7fd9000, 4096)                = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 4
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
connect(4, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
send(4, "<11>Sep 21 13:40:51 auditd: Coul"..., 79, MSG_NOSIGNAL) = 79
close(3)                                = 0
munmap(0xb7fda000, 4096)                = 0
time(NULL)                              = 1158810051
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0
send(4, "<14>Sep 21 13:40:51 auditd: The "..., 56, MSG_NOSIGNAL) = 56
unlink("/var/run/auditd.pid")           = -1 ENOENT (No such file or directory)
close(4)                                = 0
exit_group(6)                           = ?
Process 13572 detached
[david@reddwarf ~]$

Comment 1 Steve Grubb 2006-09-21 12:46:19 UTC

It probably would have been better to look in syslog to see what was being
reported. In any event, this line seems to show the problem:

>open("/var/log/audit", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = -1
> ENOTDIR (Not a directory)

I have the new package installed and find this:

[root ~]# rpm -ql audit | grep log
/var/log/audit
[root ~]# rpm -qf /var/log/audit
audit-1.2.7-4.fc5

Something happened to your /var/log/audit directory. Could you check on this and
see if it exists and maybe make the directory? The audit rpm package was the
owner and should have made it at installation.

Comment 2 david walcroft 2006-09-21 23:51:39 UTC

Yes 'Audit' exists :- -rw-r--r-- 1 root root 0 Apr 23 15:05 /var/log/audit

Comment 3 Steve Grubb 2006-09-23 13:25:31 UTC

The above seems to indicate that /var/log/audit is a file and not a directory. I
have no idea how this could happen. You should:

rm /var/log/audit
mkdir /var/log/audit
chmod 0660 /var/log/audit
service auditd restart

Comment 4 Steve Grubb 2006-09-23 13:26:50 UTC

You might need to do restorecon /var/log/audit before starting the audit daemon
in the above corrective action.

Comment 5 david walcroft 2006-09-24 01:44:56 UTC

Restarting Audit failed

Comment 6 Steve Grubb 2006-09-24 11:34:59 UTC

Syslog messages? Also did you do the steps I asked?

Comment 7 Steve Grubb 2006-09-24 11:37:40 UTC

This should fix it:

rm /var/log/audit
mkdir /var/log/audit
chmod 0750 /var/log/audit
restorecon /var/log/audit
service auditd restart

Comment 8 david walcroft 2006-09-25 04:44:21 UTC

I used the sequence above and this the last two lines from tail /var/log/messages.

Sep 25 14:38:52 reddwarf kernel: audit(1159159132.585:340): audit_pid=4593 old=0
by auid=4294967295 subj=user_u:system_r:auditd_t:s0
Sep 25 14:38:52 reddwarf auditd[4593]: Init complete, auditd 1.2.7 listening for
events

less /var/log/audit/audit.log
audtype=DAEMON_START msg=audit(1159159132.587:4914) auditd start, ver=1.2.7,
format=raw, auid=4294967295 pid=4593 res=success, a
uditd pid=45
type=CONFIG_CHANGE msg=audit(1159159132.685:341): audit_enabled=1 old=0 by
auid=4294967295 subj=user_u:system_r:auditd_t:s0
type=CONFIG_CHANGE msg=audit(1159159132.693:342): audit_backlog_limit=256
old=256 by auid=4294967295 subj=user_u:system_r:aud
itctl_t:s0
it.log

Comment 9 Steve Grubb 2006-09-25 10:14:54 UTC

ok, looks like you are in business. No idea how that directory became a file,
but that was the problem. Let me know if I can be of further assistance.

Comment 10 david walcroft 2006-09-26 00:01:16 UTC

It was not a file but a directory, used rm -rf to remove not as your first line
"rm /var/log/audit".

Note You need to log in before you can comment on or make changes to this bug.