audit startup issue RHEL 5.3
Hi - I have an error on audit startup:
system# service auditd start starting auditd: [FAILED]Error deleting rule (Operation not permitted) There was an error in line 2 of /etc/audit/audit.rules system# head -2 /etc/audit/audit.rules ## -D |
Does 'grep -v ^# /etc/audit/audit.rules|grep .|wc -l' nearly equal 'auditctl -l|wc -l'?
Does 'grep -- ^-e /etc/audit/audit.rules' show rule editing is deactivated? Does 'auditctl -i -R /etc/audit/audit.rules' show rule loading works OK for the rest of the rule set? And please post 'grep -v ^# /etc/audit/audit.rules|grep .;', preferably in BB code, instead. |
audit startup problems
Hi unSpawn, thanks for responding -
Here you go: Does 'grep -v ^# /etc/audit/audit.rules|grep .|wc -l' nearly equal 'auditctl -l|wc -l'? 64 vs 32 Does 'grep -- ^-e /etc/audit/audit.rules' show rule editing is deactivated? -e 2 Does 'auditctl -i -R /etc/audit/audit.rules' show rule loading works OK for the rest of the rule set? Error: nested rule files not supported And please post 'grep -v ^# /etc/audit/audit.rules|grep .;', preferably in BB code, instead. -D -b 8192 -f 1 -f 2 -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/selinux/ -p wa -k MAC-policy -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export) -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k actions -e 2 pyroman59 |
All times are GMT -5. The time now is 10:45 PM. |