Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm using RHEL 4.6. auditd was set on for run levels 1-5. I changed something (?), now my system won't boot. It hangs on "Starting auditd:". I tried adding "enforcing=0" to GRUB. I tried adding "selinux=0" to GRUB. I tried adding "auditd=0" to GRUB. I've tried them separatly, as well as, in various combinations. I've tried entering "I" to go into interactive mode but, I'm not fast enough to hit that millisecond window.
Exactly, how do I disable the startup script from single user mode?
Once, I disable the startup script, I reboot the machine, correct?
After, it has rebooted, then I manually run the startup script, correct? (how?)
Am I running the startup script completely? Or am I modifying the startup script first?
I appreciate your help,
Thanks
Last edited by jc56dc57; 04-18-2011 at 11:42 AM.
Reason: Forgot some important questions.
Ok, with the help from another forum, I was successful in narrowing down the location of the problem. It appears to be an initlog statement. Here is a copy of the trace. Any further insite is greatly appreciated.
The problem here with 'initlog' is that how it is used in the function "daemon" inside sourced /etc/rc.d/init.d/functions is that with "-q" it will not make regular 'auditd' output show up in syslog, thus making you lose possible clues...
Quote:
Originally Posted by jc56dc57
Exactly, how do I disable the startup script from single user mode?
As root issue '/sbin/chkconfig --level 12345 auditd off' to keep it from starting up on boot.
Quote:
Originally Posted by jc56dc57
Once, I disable the startup script, I reboot the machine, correct?
Yes or run 'telinit 3' if you want to move to multi-user networked mode.
Quote:
Originally Posted by jc56dc57
After, it has rebooted, then I manually run the startup script, correct? (how?)
I suggest you first run it as '/sbin/auditd -f' as this would show errors in the console and keeps the process in the foreground making it easier to CTRL+C when you hit an error. Another way could be to backup your current audit.rules and start with a clean slate, review all rules, add them one by one (also see 'man auditctl') and test. The most efficient way IMHO however would be to revisit changes you made as that's what caused all the trouble in the first place. If you have no recollection or evidence of changes (user shell history, syslog, admin log, backups) then by now you know why making backups comes in handy, why some people prefer to track configuration changes using any revision control system and why some keep admin change logs...
Okay, I removed "-q" and isolated the problem but, still no solution. I changed the .conf and rules files back to their defaults. When I run "initlog -c 'auditd -f'" (without the double quotes), I get the following:
[root@localhost ~]# initlog -c 'auditd -f'
Config file /etc/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
priority_boost_parser called with: 3
type=DAEMON_START msg=audit(1303942778.014:4537) auditd start, ver=1.0.15, format=raw, auid=4294967295 res=sucess, auditd pid=14874
type=CONFIG_CHANGE msg=audit(1303942778.013:3): audit_enabled=1 old=0 by auid=4294967295
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 4
max_log_size_parser called with: 5
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
config_manager init complete
Init complete, auditd 1.0.15 listening for events
█
The cursor just blinks here, it never returns to the command prompt. I’m assuming this is where it is hanging in the startup script. How do I force it to exit and/or release back to the system so thing can continue in the startup script?
Last edited by jc56dc57; 04-27-2011 at 05:45 PM.
Reason: Accidently hit the enter key before I finished the post.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.