** failed setting kernel audit objects

mufy · 01-31-2011, 07:32 AM

Across the internet the problem is a known issue - due to s syntax error in /etc/security/audit/objects. This is my object file on node 2 where 'audit start' fails:
prapb242[/etc/security/audit] # cat objects

/etc/security/environ:
w = "S_ENVIRON_WRITE"

/etc/security/group:
w = "S_GROUP_WRITE"

/etc/security/limits:
w = "S_LIMITS_WRITE"

/etc/security/login.cfg:
w = "S_LOGIN_WRITE"

/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"

/etc/security/user:
w = "S_USER_WRITE"

/etc/security/audit/config:
w = "AUD_CONFIG_WR"

/etc/hosts.allow:
w = "S_ALLOW_WRITE"

/etc/hosts.deny:
w = "S_DENY_WRITE"

I have the same file on node 1 of a cluster. I'm able to to start audit without any problem.

What am I missing?

mufy · 02-01-2011, 05:58 AM

Based on feedbacks I received from other forums this is what I did -

This is what the diff produced -

Code:

prapb241[/etc/security/audit] # diff objects.prapb242 objects.prapb241 
24c24 
< /etc/hosts.allow: 
--- 
> /etc/hosts.allow : 
27c27 
< /etc/hosts.deny: 
--- 
> /etc/hosts.deny :

The only thing I could find is the difference in the 'space' before the ':' -

Code:

prapb241[/etc/security/audit] # grep /etc/hosts objects.prapb241 
/etc/hosts.allow : 
/etc/hosts.deny : 
prapb241[/etc/security/audit] # grep /etc/hosts objects.prapb242 
/etc/hosts.allow: 
/etc/hosts.deny:

So I copied the object file from the working node 'prapb241' to 'prapb242' -

Code:

prapb241[/etc/security/audit] # scp objects.prapb241 prapb242_mgmt:$PWD 
objects.prapb241

Renamed the 'objects.prapb241' file on node 2 as -

Code:

prapb242[/etc/security/audit] # mv objects.prapb241 objects

Restarted the 'audit' service -

Code:

prapb242[/etc/security/audit] # audit shutdown 
auditing reset 
prapb242[/etc/security/audit] # audit start 
** failed setting kernel audit objects

Still fails.

As per another suggestion this is what I did -

Did a check for the existence/absence of 'hosts' files on both the nodes -

Code:

prapb241[/etc/security/audit] # cat objects | grep /etc | cut -f1 -d: | while read x^Jdo^Jls -ltr $x^Jdone 
-rw-r----- 1 root security 60 May 07 2007 /etc/security/environ 
-rw-r----- 1 root security 673 Mar 30 2010 /etc/security/group 
-rw-r----- 1 root security 1879 Aug 03 2010 /etc/security/limits 
-rw-rw---- 1 root security 4969 Jul 13 2010 /etc/security/login.cfg 
-rw------- 1 root security 2616 Jan 23 13:39 /etc/security/passwd 
-rw-r----- 1 root security 15527 Jan 23 13:33 /etc/security/user 
-rw-r----- 1 root audit 3479 Jan 31 15:06 /etc/security/audit/config 
-rw-r--r-- 1 root system 662 Apr 28 2008 /etc/hosts.allow 
-rw-r--r-- 1 root system 126 Apr 28 2008 /etc/hosts.deny 

prapb242[/etc/security/audit] # cat objects | grep /etc | cut -f1 -d: | while read x^Jdo^Jls -ltr $x^Jdone 
-rw-r----- 1 root security 60 May 07 2007 /etc/security/environ 
-rw-r----- 1 root security 673 Mar 30 2010 /etc/security/group 
-rw-r----- 1 root security 1861 Aug 03 2010 /etc/security/limits 
-rw-rw---- 1 root security 4976 Jul 13 2010 /etc/security/login.cfg 
-rw------- 1 root security 2928 Jan 25 11:21 /etc/security/passwd 
-rw-r----- 1 root security 15063 Jan 25 11:21 /etc/security/user 
-rw-r----- 1 root audit 3479 Jan 31 16:17 /etc/security/audit/config 
-rw-r--r-- 1 root system 662 Apr 28 2008 /etc/hosts.allow 
-rw-r--r-- 1 root system 126 Apr 28 2008 /etc/hosts.deny

Nothing missing there either!