Ask Your Question
1

auditd.service fails

asked 2016-03-15 14:13:48 -0600

florian gravatar image

updated 2016-03-15 14:14:51 -0600

Hi, systemctl --failed revealed that auditd.service is not running properly:

  UNIT           LOAD   ACTIVE SUB    DESCRIPTION
● auditd.service loaded failed failed Security Auditing Service

systemctl status auditd.service shows:

● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2016-03-15 14:35:20 EDT; 33min ago
  Process: 1076 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
  Process: 1075 ExecStart=/sbin/auditd -n (code=exited, status=6)
 Main PID: 1075 (code=exited, status=6)

systemd[1]: Starting Security Auditing Service...
auditctl[1076]: No rules
systemd[1]: Started Security Auditing Service.
auditd[1075]: Could not open dir /var/log/audit (No such file or directory)
auditd[1075]: The audit daemon is exiting.
systemd[1]: auditd.service: main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: Unit auditd.service entered failed state.

My question are:

  • Is that a problem?
  • Why don't I have /var/log/audit?
  • What does status=6 mean?
  • How could I fix it?
edit retag flag offensive close merge delete

Comments

hhlp gravatar imagehhlp ( 2016-03-15 14:44:25 -0600 )edit

CLOSED CURRENTRELEASE:

Status: NEW → CLOSED Resolution: --- → CURRENTRELEASE Last Closed: 2015-06-07 19:27:31

Does that mean the bug is supposed to be fixed? That should have reached me, 8 months after fixing it, right? Should I maybe open a new ticket?

florian gravatar imageflorian ( 2016-03-15 15:08:27 -0600 )edit

@Florian yep 1.- not is closed, 2.- Yes, you should open a new ticket 3.-Are you Disabling service's that you considered obsolet??? , like neil describe in the bug report ? watch out of this ...

hhlp gravatar imagehhlp ( 2016-03-15 15:26:40 -0600 )edit

@hhlp. Thanks for pointing me into the right direction! Here is the new bug, and no, I would never disable a service that is failing, neither do I consider it obsolete. That's not a bug fix in my opinion.

florian gravatar imageflorian ( 2016-03-15 16:14:07 -0600 )edit

1 Answer

Sort by » oldest newest most voted
2

answered 2016-03-16 10:39:19 -0600

florian gravatar image

updated 2016-03-16 11:33:02 -0600

Writing my own answer to let you know what fixed it:

After reported a bug, I found out that problem is related to permissions of /var/log/audit.

rpm -qvl audit | grep var showed that permissions should be the following:

drwxr-x---    2 root    root                  0 Mar 14 12:24 /var/log/audit

Since that wasn't the case, I tried to adjust them manually: (as root) chmod 750 /var/log/audit/ and chroot root:root /var/log/audit/.

Interestingly this didn't fix the problem. I still got a

auditd[1079]: Unable to create /var/log/audit/audit.log (Permission denied)

I decided to reinstall the audit package by running dnf reinstall audit which finally solved my problem.

Now, systemctl status auditd.service reports active (running) , and aureport delivers a nice summary.

edit flag offensive delete link more

Comments

After setting the permissions correctly, a restorecon /var/log/audit/ would have fixed it maybe too (restores SELinux security context for folder/files).

florian gravatar imageflorian ( 2016-03-16 11:32:30 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2016-03-15 14:13:48 -0600

Seen: 6,298 times

Last updated: Mar 16 '16