Description of problem: Cannot get audit to run properly Version-Release number of selected component (if applicable):1.1.5-1 How reproducible: reboot computer or restart by using /sbin/services/auditd Steps to Reproduce: 1. 2. 3. Actual results: no reult Expected results: Avec files log to /var/log/audit/auditd.log Additional info:execve("/sbin/auditd", ["auditd"], [/* 19 vars */]) = 0 brk(0) = 0x9825000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdb000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=113366, ...}) = 0 mmap2(NULL, 113366, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fbf000 close(3) = 0 open("/lib/libpthread.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\232"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=112148, ...}) = 0 mmap2(NULL, 78268, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xde8000 mmap2(0xdf8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf) = 0xdf8000 mmap2(0xdfa000, 4540, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xdfa000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\nVqG4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1532528, ...}) = 0 mmap2(NULL, 1254812, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x8c0000 mmap2(0x9ed000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x12d) = 0x9ed000 mmap2(0x9f0000, 9628, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x9f0000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fbe000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fbe6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0x9ed000, 8192, PROT_READ) = 0 mprotect(0xdf8000, 4096, PROT_READ) = 0 mprotect(0xe97000, 4096, PROT_READ) = 0 munmap(0xb7fbf000, 113366) = 0 set_tid_address(0xb7fbe708) = 13572 sendto(-1208228080, ptrace: umoven: Input/output error 0xc, 14651380, MSG_EOR|MSG_ERRQUEUE|MSG_DONTWAIT|MSG_FIN|MSG_SYN|MSG_NOSIGNAL|MSG_MORE|0xb7fb0000, {sa_family=AF_DECnet, sa_data="\0\0\304\220\231G\r\0\0\0\304 \232G"}, 3217340120) = 0 rt_sigaction(SIGRTMIN, {0xdec66b, [], SA_SIGINFO}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0xdec5a0, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0 _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbfc4b430, 31, (nil), 0}) = 0 umask(077) = 022 umask(022) = 077 getuid32() = 0 rt_sigaction(SIG_0, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument) rt_sigaction(SIGHUP, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGINT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGQUIT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGILL, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTRAP, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGABRT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGBUS, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGFPE, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGKILL, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument) rt_sigaction(SIGUSR1, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSEGV, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGUSR2, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGALRM, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTERM, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSTKFLT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGCHLD, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGCONT, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSTOP, {SIG_IGN}, NULL, 8) = -1 EINVAL (Invalid argument) rt_sigaction(SIGTSTP, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTTIN, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTTOU, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGURG, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGXCPU, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGXFSZ, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGVTALRM, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGPROF, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGWINCH, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGIO, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGPWR, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGSYS, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_2, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_3, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_4, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_5, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_6, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_7, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_8, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_9, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_10, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_11, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_12, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_13, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_14, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_15, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_16, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_17, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_18, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_19, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_20, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_21, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_22, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_23, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_24, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_25, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_26, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_27, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_28, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_29, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_30, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_31, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGRT_32, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGTERM, {0xaf22c0, [], 0}, NULL, 8) = 0 rt_sigaction(SIGHUP, {0xaf22e0, [], 0}, NULL, 8) = 0 rt_sigaction(SIGUSR1, {0xaf2300, [], 0}, NULL, 8) = 0 rt_sigaction(SIGUSR2, {SIG_IGN}, NULL, 8) = 0 rt_sigaction(SIGCHLD, {0xaf24d0, [], 0}, NULL, 8) = 0 setrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 setrlimit(RLIMIT_CPU, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 brk(0) = 0x9825000 brk(0x9846000) = 0x9846000 open("/etc/auditd.conf", O_RDONLY|O_NOFOLLOW) = 3 fstat64(3, {st_mode=S_IFREG|0640, st_size=432, ...}) = 0 fcntl64(3, F_GETFL) = 0x20000 (flags O_RDONLY|O_NOFOLLOW) fstat64(3, {st_mode=S_IFREG|0640, st_size=432, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fda000 _llseek(3, 0, [0], SEEK_CUR) = 0 read(3, "#\n# This file controls the confi"..., 4096) = 432 open("/var/log/audit", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = -1 ENOTDIR (Not a directory) time(NULL) = 1158810051 open("/etc/localtime", O_RDONLY) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 fstat64(4, {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd9000 read(4, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0"..., 4096) = 160 close(4) = 0 munmap(0xb7fd9000, 4096) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 socket(PF_FILE, SOCK_DGRAM, 0) = 4 fcntl64(4, F_SETFD, FD_CLOEXEC) = 0 connect(4, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 send(4, "<11>Sep 21 13:40:51 auditd: Coul"..., 79, MSG_NOSIGNAL) = 79 close(3) = 0 munmap(0xb7fda000, 4096) = 0 time(NULL) = 1158810051 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=160, ...}) = 0 send(4, "<14>Sep 21 13:40:51 auditd: The "..., 56, MSG_NOSIGNAL) = 56 unlink("/var/run/auditd.pid") = -1 ENOENT (No such file or directory) close(4) = 0 exit_group(6) = ? Process 13572 detached [david@reddwarf ~]$
It probably would have been better to look in syslog to see what was being reported. In any event, this line seems to show the problem: >open("/var/log/audit", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = -1 > ENOTDIR (Not a directory) I have the new package installed and find this: [root ~]# rpm -ql audit | grep log /var/log/audit [root ~]# rpm -qf /var/log/audit audit-1.2.7-4.fc5 Something happened to your /var/log/audit directory. Could you check on this and see if it exists and maybe make the directory? The audit rpm package was the owner and should have made it at installation.
Yes 'Audit' exists :- -rw-r--r-- 1 root root 0 Apr 23 15:05 /var/log/audit
The above seems to indicate that /var/log/audit is a file and not a directory. I have no idea how this could happen. You should: rm /var/log/audit mkdir /var/log/audit chmod 0660 /var/log/audit service auditd restart
You might need to do restorecon /var/log/audit before starting the audit daemon in the above corrective action.
Restarting Audit failed
Syslog messages? Also did you do the steps I asked?
This should fix it: rm /var/log/audit mkdir /var/log/audit chmod 0750 /var/log/audit restorecon /var/log/audit service auditd restart
I used the sequence above and this the last two lines from tail /var/log/messages. Sep 25 14:38:52 reddwarf kernel: audit(1159159132.585:340): audit_pid=4593 old=0 by auid=4294967295 subj=user_u:system_r:auditd_t:s0 Sep 25 14:38:52 reddwarf auditd[4593]: Init complete, auditd 1.2.7 listening for events less /var/log/audit/audit.log audtype=DAEMON_START msg=audit(1159159132.587:4914) auditd start, ver=1.2.7, format=raw, auid=4294967295 pid=4593 res=success, a uditd pid=45 type=CONFIG_CHANGE msg=audit(1159159132.685:341): audit_enabled=1 old=0 by auid=4294967295 subj=user_u:system_r:auditd_t:s0 type=CONFIG_CHANGE msg=audit(1159159132.693:342): audit_backlog_limit=256 old=256 by auid=4294967295 subj=user_u:system_r:aud itctl_t:s0 it.log
ok, looks like you are in business. No idea how that directory became a file, but that was the problem. Let me know if I can be of further assistance.
It was not a file but a directory, used rm -rf to remove not as your first line "rm /var/log/audit".