Good hint, thanks! Running `dmesg | grep audit_pid` revealed the pid of the already
running process!
-----Ursprüngliche Nachricht-----
Von: Richard Guy Briggs <rgb(a)redhat.com>
Gesendet: Donnerstag, 16. Mai 2019 15:57
An: Wolff Felix (ETAS-SEC/ECT-Be) <Felix.Wolff(a)escrypt.com>
Cc: Linux-audit(a)redhat.com
Betreff: Re: Error starting auditd
On 2019-05-16 10:47, Wolff Felix (ETAS-SEC/ECT-Be) wrote:
Hello,
Hi Felix,
I am currently porting auditd to a new platform. When starting it
using `auditd -f`, I get the following error:
"Error setting audit daemon pid (File exists)"
It occurs during the call to `audit_set_pid(fd, getpid(), WAIT_YES);` in auditd.c. If I
understand correctly, this call registers auditd with the kernel, is that correct? fd
looks like a valid file descriptor, at least its >0. Especially the "file
exists" part confuses me. In which direction can I investigate that error?
It appears you already have a process/task that is registered with the kernel for this
purpose and it is still alive and healthy. On a normal system I would say it is likely
auditd that was started by the system.
On yours, are you sure you haven't got a previous one already at least partly
running?
The line responsible in the kernel is here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/k...
Thank you and greets,
Felix
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635