Good hint, thanks! Running `dmesg | grep audit_pid` revealed the pid of the already running process!
-----Ursprüngliche Nachricht----- Von: Richard Guy Briggs <[email protected]> Gesendet: Donnerstag, 16. Mai 2019 15:57 An: Wolff Felix (ETAS-SEC/ECT-Be) <[email protected]> Cc: [email protected] Betreff: Re: Error starting auditd On 2019-05-16 10:47, Wolff Felix (ETAS-SEC/ECT-Be) wrote: > Hello, Hi Felix, > I am currently porting auditd to a new platform. When starting it using > `auditd -f`, I get the following error: > > "Error setting audit daemon pid (File exists)" > > It occurs during the call to `audit_set_pid(fd, getpid(), WAIT_YES);` in > auditd.c. If I understand correctly, this call registers auditd with the > kernel, is that correct? fd looks like a valid file descriptor, at least its > >0. Especially the "file exists" part confuses me. In which direction can I > investigate that error? It appears you already have a process/task that is registered with the kernel for this purpose and it is still alive and healthy. On a normal system I would say it is likely auditd that was started by the system. On yours, are you sure you haven't got a previous one already at least partly running? The line responsible in the kernel is here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/audit.c#n1262 > Thank you and greets, > Felix - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
