chkconfig --add auditd

mccartjd · 05-20-2008, 08:14 AM

RHEL 4 Workstation 64bit Kernel 2.6.9.5-ELsmp

Typing chkconfig --add auditd results in below:

"error reading information on service auditd: No such file or directory"

Typing "chkconfig --add /sbin/auditd" has same results.

Can't understand why I can not add auditd. If I type

"chkconfig auditd" I get no errors. I type auditd and I get a PID #. I'm attempting add what I think is a service (auditd) and allow it to remain running after root logs out. Using the add service GUI interface pretty much results in th

e same. Am I typing somthing wrong?

ChrisAbela · 05-20-2008, 09:02 AM

I have booted up my RHEL4 so maybe I can help. Check if auditd is already configured as a service:

# chkconfig --list auditd

If you get any output like:

auditd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

then you need only switch the service on:

# chkconfig auditd on

Then reboot or start the service manually:

#service auditd start

mccartjd · 05-20-2008, 02:46 PM

Typed:

# chkconfig --list auditd

Response:

error reading information on service auditd no such file or directory

Thanks
John

mccartjd · 05-21-2008, 06:55 AM

ChrisAbela,

I got it working! History - This ystem arrived from Dell 5 months ago pre-installed. I was hired to configure the system in a secure manner. One of the requirements was to setup proper auditing and I was told that auditd complemented and enhanced the default setup.

After weeks of working this issue I learned that no up2date functions were conducted so many of these rpm files were way out of date. Working with RedHat customer support performed a
up2date (did not specify which .rpm) and 15 minutes later, updated the up2date rpm and audit rpm "only" (there were many more I might look at later). Rebooted and now auditd is working as designed.

I'm using the System Log GUI interface and pointed to the auditd.log file and noticed only two events (PID assigned to Auditd which has been activated and Kernel Message that audit was enabled) not users access files or failures to Kill processes. Maybe I need to readup on the auditctrl manpage?

John

unSpawn · 05-21-2008, 07:43 AM

Quote:

Originally Posted by mccartjd

I'm using the System Log GUI interface and pointed to the auditd.log file and noticed only two events (PID assigned to Auditd which has been activated and Kernel Message that audit was enabled) not users access files or failures to Kill processes. Maybe I need to readup on the auditctrl manpage?

Even after consolidation you have three threads rolling about the same subject. I suggest you read the manual and continue discussing SNARE, Auditd and rules here http://www.linuxquestions.org/questi...snare.-642459/.

ChrisAbela · 05-21-2008, 08:47 AM

I am glad to read that you managed to set it up (despite) my help :-).
And thank you for the feed back.

Chris Abela

Tinkster · 05-21-2008, 03:28 PM

mccartjd: please get your act together and keep your threads in ONE place.

http://www.linuxquestions.org/questi...snare.-642459/

Closed.