Le 18/03/17 à 01:26, Russell Coker a écrit :
The command "systemctl status auditd.service" reports the following:
Mar 18 11:16:03 unicorn augenrules[3582]: failure 1
Mar 18 11:16:03 unicorn augenrules[3582]: pid 0
Mar 18 11:16:03 unicorn augenrules[3582]: rate_limit 0
Mar 18 11:16:03 unicorn augenrules[3582]: backlog_limit 8192
Mar 18 11:16:03 unicorn augenrules[3582]: lost 167
Mar 18 11:16:03 unicorn augenrules[3582]: backlog 0
Mar 18 11:16:03 unicorn augenrules[3582]: backlog_wait_time 0
Mar 18 11:16:03 unicorn systemd[1]: Failed to start Security Auditing Service.
Mar 18 11:16:03 unicorn systemd[1]: auditd.service: Unit entered failed state.
It turns out that this is due to "/sbin/auditctl -R /etc/audit/audit.rules"
(which is run by the start scripts) giving the following output:
No rules
enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 8192
lost 167
backlog 0
backlog_wait_time 0
enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 8192
lost 167
backlog 0
backlog_wait_time 0
enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 8192
lost 167
backlog 0
backlog_wait_time 0
Why is it giving "failure 1"?
Also this is no reason for auditd to not run. The auditd daemon stores useful
information (such as SE Linux log messages) even when the system is unable to
load audit rules.
I've the same output on my machine here and audit daemon is running:
bigon@fornost:~$ sudo /sbin/auditctl -R /etc/audit/audit.rules
No rules
enabled 1
failure 1
pid 739
rate_limit 0
backlog_limit 8192
lost 385
backlog 0
backlog_wait_time 0
enabled 1
failure 1
pid 739
rate_limit 0
backlog_limit 8192
lost 385
backlog 0
backlog_wait_time 0
enabled 1
failure 1
pid 739
rate_limit 0
backlog_limit 8192
lost 385
backlog 0
backlog_wait_time 0
bigon@fornost:~$ echo $?
0
Do you have the fulloutput of journald? journalctl -b -u auditd.service
Do you have any specific rules in there?
