In FC4, somwhow, I have auditd running. I found how to disable it, but I really want it to not run anymore. How? Root cannot even kill -9 this process. What starts that thing, anyway?
TIA, Ray

As root, run:

chkconfig --level 35 auditd off



Zubin Parihar

Thank you, and that ran without any comment. Level 35??? What the heck is that?
Further, I don't really want to reboot the box, is there a way to kill the now running auditd?

Hi !!

Excuse me if I get anything wrong here - first post. Am a -ish experienced *nix admin, but mostly with Solaris. Just installed fc4 as a home server with 2 fc4 clients... looking good so far

Anyway -

chkconfig is used to set the on/off levels of services, with levels being the systems "init" level (or "runlevel"). For example, init level 3 is full networking system, without starting X (I think), whereas init level 5 is usually with X started. Try logging in as root and running an init 6 when you want to reboot your system.

So that chkconfig line above turns off the auditd service at levels 3 or 5. You could also do a "chkconfig auditd off" to turn it off at all runlevels.

Another good command is "service". If you try "service auditd status", it will probably tell you it's running, with it's pid (process id - find using "ps -ef | grep pid"). To start a service you can use "service auditd stop"... Try running "service servicename" to find out which parameters can be passed to a service - usually start/stop/restart/status/reload.

Hope this has helped make things a little clearer - and sorry if I'm teaching you to suck eggs :P

Rgds

PapaLaz

Not at all, thank you very much. I JUST NOW learned that chkconfig can take multiple level arguments, as in 35 to cut it off in those 2 levels. I did not know that. Helpful. I start in level 3, but, should I ever change to the GUI login, things should match, and there be no surprises.

The service command does not know a thing about auditd, though.

A kill -9 wont stop the thing either.
Oh, well, the next boot should get it done.

Strange that the "service" command doesn't recognise auditd. Is this with a standard FC4 install ?? Or have you been moving scripts from /etc/init.d ??

My output :

[root@home1 ~]# service auditd
Usage: /etc/init.d/auditd {start|stop|status|restart|condrestart|reload}
[root@home1 ~]#

Anyway, if you're sure the service command isn't picking it up, you could always try "/etc/init.d/auditd stop".

Rgds
PapaLaz

Thanks again. Yes, it's pretty much standard. I upgraded from FC3 to FC4, but haven't had occasion to mess with the serice scripts, they're all stock.

Here's the rresult of trying to stop the thing:

[root@raymondjones init.d]# ./auditd stop
Stopping auditd: [FAILED]
Error receiving watch list (Unknown error 4294967274)
[root@raymondjones init.d]#

AND it just runs like the Eveready bunny!

Have you viewed the man pages for auditd?
http://www.scit.wlv.ac.uk/cgi-bin/mansec?1M+auditd
Also what does show?

As shown in my previous post, it reports nothing.
Yup, I did peruse the man page, it's not very helpful in terms of turning the thing on and off.

Sry hlyrad, but I didn't quite understand your post. The man page doesn't give any special instructions for hung processes.

GL1800 - TBH it sounds like the processes has hung, or at least in an errored state. A reboot is the only answer if the process won't respond even to a kill -9. The /etc/init.d/auditd stop command will be issued when the system comes down - might take a few seconds to respond as it will fail (as you proved), but at least you'll get a clean system again.

Sorry there's not a better answer.

Rgds
PapaLaz

Yes, thanks, I kinda figured that. There will be a reboot, one of these days, and it should not restart. Thanks for your help.

Hey GL1800,

Sorry, I didn't further explain thins in my initial response...and thank you PapaLaz for giving your explanations. Everything you said was correct!

I read that your 'service' command didn't work for you...? I didn't fully understand what you meant...

Is the 'service' command in your path?

the path is /sbin/service.

If you wanna add it to your path type in.

export PATH=${PATH}:/sbin/

If you want this to always be in your path... add the previous line to the bottom of your /etc/profile file.

Try: /sbin/service auditd stop

to kill auditd.

If its a hung process...well i'm not sure theres much you can do...

If its a zombie process... just leave it... its not bothering the system and it won't take any memory.

I've got to run real quick. I'll check back on this post in a short while..
Hope I helped a bit...

Zubin Parihar

Yes, thanks, and yes, service is in my path, it's just that it doesn't believe auditd is it's responsibility, it returns "unknown service" when I try to use it. Nevertheless, going to the rc3.d directory does allow control, so we do have it "stopped" although, it is still making notes I don't want. I will reboot someday soon, and we'll see if it tries to restart itself.