1:38 p.m.
HI
Suddently, my auditd can't start. I do not know why.
I remember I changed some permission settings on /var/log/audit. However,
even I change it back, the auditd cann't be started.
I looked at the audit.log. It only shows the daemon is closed successfully
I wonder whether there is other log file I should look.
Normally, it will print out the failure reason : wrong audit rules but this
time, only
"Failed".
thanks a lot
1:43 p.m.
On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
HI
Suddently, my auditd can't start. I do not know why.
I remember I changed some permission settings on /var/log/audit. However,
even I change it back, the auditd cann't be started.
I looked at the audit.log. It only shows the daemon is closed successfully
I wonder whether there is other log file I should look.
Its writes failure messages to /var/log/messages. I sometimes troubleshoot
issues by starting the daemon by hand in the foreground mode so that
everything is written to the screen. /sbin/auditd -f
-Steve
1:48 p.m.
Thanks you so much for the quick response. I just want to send out this
email. Because I use auditd -f to find out it was still the permission
issue of audit.log.
What I wanted to do is let someone else able to read the audit.log other
than root. Should I change the log_group setting ? It seems audit.log
permission is 0600. Only root can read it.
On Fri, Aug 16, 2013 at 11:43 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
> HI
> Suddently, my auditd can't start. I do not know why.
> I remember I changed some permission settings on /var/log/audit. However,
> even I change it back, the auditd cann't be started.
>
> I looked at the audit.log. It only shows the daemon is closed
successfully
>
> I wonder whether there is other log file I should look.
Its writes failure messages to /var/log/messages. I sometimes troubleshoot
issues by starting the daemon by hand in the foreground mode so that
everything is written to the screen. /sbin/auditd -f
-Steve
1:53 p.m.
On Friday, August 16, 2013 11:48:37 AM zhu xiuming wrote:
Thanks you so much for the quick response. I just want to send out
this
email. Because I use auditd -f to find out it was still the permission
issue of audit.log.
What I wanted to do is let someone else able to read the audit.log other
than root. Should I change the log_group setting ?
Yes.
It seems audit.log permission is 0600. Only root can read it.
You should create a group for reading audit logs and add the user to it. You
may need to change the group on the log files initially and chmod them to 0640.
But auditd will correctly set the permission and group on all future files.
-Steve
On Fri, Aug 16, 2013 at 11:43 AM, Steve Grubb
<sgrubb(a)redhat.com> wrote:
> On Friday, August 16, 2013 11:38:32 AM zhu xiuming wrote:
> > HI
> > Suddently, my auditd can't start. I do not know why.
> > I remember I changed some permission settings on /var/log/audit.
> > However,
> > even I change it back, the auditd cann't be started.
> >
> > I looked at the audit.log. It only shows the daemon is closed
>
> successfully
>
> > I wonder whether there is other log file I should look.
>
> Its writes failure messages to /var/log/messages. I sometimes
> troubleshoot
> issues by starting the daemon by hand in the foreground mode so that
> everything is written to the screen. /sbin/auditd -f
>
> -Steve
4146
days inactive
4146
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
Steve Grubb -
zhu xiuming