Re: auditd fails to start on FC6 system, newer kernels effect?
Hi,
Just a quick update on this in case any one was curious...turns out that the
audit system was not in his kernel config. Its working now.
-Steve
On Monday 19 November 2007 01:23:25 pm Stephen Smalley wrote:
On Sat, 2007-11-17 at 04:31 -0500, Gene Heskett wrote:
> Greetings;
>
> FC6 system, uptodate, kernel 2.6.24-rc3, but this has existed since I
> re-enabled selinux in permissive mode just to see what complained.
>
> The manpage says to use the -f option for foreground troubleshooting, so
> here goes:
>
> [root@coyote linux-2.6.24-rc3]# man auditd
> [root@coyote linux-2.6.24-rc3]# which auditd
> /sbin/auditd
> [root@coyote linux-2.6.24-rc3]# auditd -f
> Config file /etc/audit/auditd.conf opened for parsing
> log_file_parser called with: /var/log/audit/audit.log
> log_format_parser called with: RAW
> priority_boost_parser called with: 3
> flush_parser called with: INCREMENTAL
> freq_parser called with: 20
> num_logs_parser called with: 4
> dispatch_parser called with: /sbin/audispd
> qos_parser called with: lossy
> max_log_size_parser called with: 5
> max_log_size_action_parser called with: ROTATE
> space_left_parser called with: 75
> space_action_parser called with: SYSLOG
> action_mail_acct_parser called with: root
> admin_space_left_parser called with: 50
> admin_space_left_action_parser called with: SUSPEND
> disk_full_action_parser called with: SUSPEND
> disk_error_action_parser called with: SUSPEND
> Started dispatcher: /sbin/audispd pid: 7828
> type=DAEMON_START msg=audit(1195291550.719:1106) auditd start, ver=1.4.2,
> format=raw, auid=4294967295 pid=7824 res=success, auditd pid=7824
> config_manager init complete
> Error setting audit daemon pid (Connection refused)
> type=DAEMON_ABORT msg=audit(1195291550.720:1107) auditd error halt,
> auid=4294967295 pid=7824 res=failed, auditd pid=7824
> Unable to set audit pid, exiting
> The audit daemon is exiting.
> Error setting audit daemon pid (Connection refused)
> [root@coyote linux-2.6.24-rc3]#
>
> Connection refused sounds as if something else isn't running that should
> be, but no direct clue, so what else needs to run too, before auditd?
More of a question for linux-audit (cc'd). Offhand, I'd guess that the
ECONNREFUSED is coming from the netlink code, but I don't know why.
Running it under strace might be illuminating.