I'm using RHEL 4.6. auditd was set on for run levels 1-5. I changed something (?), now my system won't boot. It hangs on "Starting auditd:". I tried adding "enforcing=0" to GRUB. I tried adding "selinux=0" to GRUB. I tried adding "auditd=0" to GRUB. I've tried them separatly, as well as, in various combinations. I've tried entering "I" to go into interactive mode but, I'm not fast enough to hit that millisecond window.

How can I skip/get pass the "Starting auditd:"?

Boot into single user mode and disable the startup script. After the system boots, rerun the startup script and see where it hangs.

stickman,

Exactly, how do I disable the startup script from single user mode?

Once, I disable the startup script, I reboot the machine, correct?
After, it has rebooted, then I manually run the startup script, correct? (how?)
Am I running the startup script completely? Or am I modifying the startup script first?

I appreciate your help,

Thanks

Ok, with the help from another forum, I was successful in narrowing down the location of the problem. It appears to be an initlog statement. Here is a copy of the trace. Any further insite is greatly appreciated.

[root@localhost init.d]# bash -x ./auditd start
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ . /etc/init.d/functions
++ TEXTDOMAIN=initscripts
++ umask 022
++ PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
++ export PATH
++ '[' –z '' ']'
++ COLUMNS=80
++ '[' –z '' ']'
+++ /sbin/consoletype
++ CONSOLETYPE=pty
++ '[' -f /etc/sysconfig/i18n -a -z '' ']'
++ . /etc/sysconfig/i18n
+++ LANG=en_US.UTF-8
+++ SUPPORTED=en_US.UTF-8:en_US:en
+++ SYSFONT=latarcyrheb-sun16
++ '[' pty '!=' pty ']'
++ '[' –n '' ']'
++ export LANG
++ '[' –z '' ']'
++ '[' -f /etc/sysconfig/init ']'
++ . /etc/sysconfig/init
+++ BOOTUP=color
+++ GRAPHICAL=yes
+++ RES_COL=60
+++ MOVE_TO_COL='echo -en \033[60G'
+++ SETCOLOR_SUCCESS='echo -en \033[0;32m'
+++ SETCOLOR_FAILURE='echo -en \033[O;31m'
+++ SETCOLOR_WARNING='echo -en \033[0;33m'
+++ SETCOLOR_NORMAL='echo -en \033[0;39m'
+++ LOGLEVEL=3
+++ PROMPT=yes
++ '[' pty = serial ']'
++ '[' color '!=' verbose ']'
++ INITLOG_ARGS=-q
++ id -u
+ test 0 = 0
+ test -f /etc/sysconfig/auditd
+ . /etc/sysconfig/auditd
++ EXTRAOPTIONS=-f
++ AUDITD_LANG=en_US
++ AUDITD_CLEAN_STOP=yes
++ AUDITD_DISABLE_CONTEXT=no
+ test -x /sbin/auditd
+ test -f /etc/auditd.conf
+ RETVAL=O
+ prog=auditd
+ case "$1" in
+ start
+ echo -n 'Starting auditd: '
Starting auditd: + '[' -z en_US -o en_US none -o en_US NONE ']'
+ LANG=en_US
+ LC_TIME=en_US
+ LC_ALL=en_US
+ LC_MESSAGES=en_US
+ LC_NUMERIC=en_US
+ LC_MONETARY=en_US
+ LC_COLLATE=en_US
+ export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+ unset HOME MAIL USER USERNAME
+ daemon auditd -f
+ local gotbase= force=
+ local base= user= nice= bg= pid=
+ nicelevel=O
+ '[' auditd '!=' auditd ']'
+ '[' –z '' ']'
+ base=auditd
+ '[' -f /var/run/auditd.pid ']'
+ '[' –n '' –a –z '' ']'
+ ulimit -S -c 0
+ '[' –n '' ']'
+ '[' color = verbose -a -z '' ']'
+ '[' –z '' ']'
+ initlog -q -c 'auditd -f'

The above line is where it hangs.

Thanks again

The problem here with 'initlog' is that how it is used in the function "daemon" inside sourced /etc/rc.d/init.d/functions is that with "-q" it will not make regular 'auditd' output show up in syslog, thus making you lose possible clues...


As root issue '/sbin/chkconfig --level 12345 auditd off' to keep it from starting up on boot.


Yes or run 'telinit 3' if you want to move to multi-user networked mode.


I suggest you first run it as '/sbin/auditd -f' as this would show errors in the console and keeps the process in the foreground making it easier to CTRL+C when you hit an error. Another way could be to backup your current audit.rules and start with a clean slate, review all rules, add them one by one (also see 'man auditctl') and test. The most efficient way IMHO however would be to revisit changes you made as that's what caused all the trouble in the first place. If you have no recollection or evidence of changes (user shell history, syslog, admin log, backups) then by now you know why making backups comes in handy, why some people prefer to track configuration changes using any revision control system and why some keep admin change logs...

Okay, I removed "-q" and isolated the problem but, still no solution. I changed the .conf and rules files back to their defaults. When I run "initlog -c 'auditd -f'" (without the double quotes), I get the following:

[root@localhost ~]# initlog -c 'auditd -f'
Config file /etc/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
priority_boost_parser called with: 3
type=DAEMON_START msg=audit(1303942778.014:4537) auditd start, ver=1.0.15, format=raw, auid=4294967295 res=sucess, auditd pid=14874
type=CONFIG_CHANGE msg=audit(1303942778.013:3): audit_enabled=1 old=0 by auid=4294967295
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 4
max_log_size_parser called with: 5
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
config_manager init complete
Init complete, auditd 1.0.15 listening for events
█

The cursor just blinks here, it never returns to the command prompt. I’m assuming this is where it is hanging in the startup script. How do I force it to exit and/or release back to the system so thing can continue in the startup script?