LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-15-2011, 08:42 PM   #1
jc56dc57
LQ Newbie
 
Registered: Apr 2011
Posts: 4

Rep: Reputation: 0
Can't Boot Pass "Starting Auditd:"


I'm using RHEL 4.6. auditd was set on for run levels 1-5. I changed something (?), now my system won't boot. It hangs on "Starting auditd:". I tried adding "enforcing=0" to GRUB. I tried adding "selinux=0" to GRUB. I tried adding "auditd=0" to GRUB. I've tried them separatly, as well as, in various combinations. I've tried entering "I" to go into interactive mode but, I'm not fast enough to hit that millisecond window.

How can I skip/get pass the "Starting auditd:"?
 
Old 04-15-2011, 09:38 PM   #2
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Boot into single user mode and disable the startup script. After the system boots, rerun the startup script and see where it hangs.
 
Old 04-18-2011, 12:13 PM   #3
jc56dc57
LQ Newbie
 
Registered: Apr 2011
Posts: 4

Original Poster
Rep: Reputation: 0
Can't Boot Pass "Starting Auditd:"

stickman,

Exactly, how do I disable the startup script from single user mode?

Once, I disable the startup script, I reboot the machine, correct?
After, it has rebooted, then I manually run the startup script, correct? (how?)
Am I running the startup script completely? Or am I modifying the startup script first?

I appreciate your help,

Thanks

Last edited by jc56dc57; 04-18-2011 at 12:42 PM. Reason: Forgot some important questions.
 
Old 04-20-2011, 05:06 PM   #4
jc56dc57
LQ Newbie
 
Registered: Apr 2011
Posts: 4

Original Poster
Rep: Reputation: 0
Ok, with the help from another forum, I was successful in narrowing down the location of the problem. It appears to be an initlog statement. Here is a copy of the trace. Any further insite is greatly appreciated.

[root@localhost init.d]# bash -x ./auditd start
+ PATH=/sbin:/bin:/usr/bin:/usr/sbin
+ . /etc/init.d/functions
++ TEXTDOMAIN=initscripts
++ umask 022
++ PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
++ export PATH
++ '[' –z '' ']'
++ COLUMNS=80
++ '[' –z '' ']'
+++ /sbin/consoletype
++ CONSOLETYPE=pty
++ '[' -f /etc/sysconfig/i18n -a -z '' ']'
++ . /etc/sysconfig/i18n
+++ LANG=en_US.UTF-8
+++ SUPPORTED=en_US.UTF-8:en_US:en
+++ SYSFONT=latarcyrheb-sun16
++ '[' pty '!=' pty ']'
++ '[' –n '' ']'
++ export LANG
++ '[' –z '' ']'
++ '[' -f /etc/sysconfig/init ']'
++ . /etc/sysconfig/init
+++ BOOTUP=color
+++ GRAPHICAL=yes
+++ RES_COL=60
+++ MOVE_TO_COL='echo -en \033[60G'
+++ SETCOLOR_SUCCESS='echo -en \033[0;32m'
+++ SETCOLOR_FAILURE='echo -en \033[O;31m'
+++ SETCOLOR_WARNING='echo -en \033[0;33m'
+++ SETCOLOR_NORMAL='echo -en \033[0;39m'
+++ LOGLEVEL=3
+++ PROMPT=yes
++ '[' pty = serial ']'
++ '[' color '!=' verbose ']'
++ INITLOG_ARGS=-q
++ id -u
+ test 0 = 0
+ test -f /etc/sysconfig/auditd
+ . /etc/sysconfig/auditd
++ EXTRAOPTIONS=-f
++ AUDITD_LANG=en_US
++ AUDITD_CLEAN_STOP=yes
++ AUDITD_DISABLE_CONTEXT=no
+ test -x /sbin/auditd
+ test -f /etc/auditd.conf
+ RETVAL=O
+ prog=auditd
+ case "$1" in
+ start
+ echo -n 'Starting auditd: '
Starting auditd: + '[' -z en_US -o en_US none -o en_US NONE ']'
+ LANG=en_US
+ LC_TIME=en_US
+ LC_ALL=en_US
+ LC_MESSAGES=en_US
+ LC_NUMERIC=en_US
+ LC_MONETARY=en_US
+ LC_COLLATE=en_US
+ export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+ unset HOME MAIL USER USERNAME
+ daemon auditd -f
+ local gotbase= force=
+ local base= user= nice= bg= pid=
+ nicelevel=O
+ '[' auditd '!=' auditd ']'
+ '[' –z '' ']'
+ base=auditd
+ '[' -f /var/run/auditd.pid ']'
+ '[' –n '' –a –z '' ']'
+ ulimit -S -c 0
+ '[' –n '' ']'
+ '[' color = verbose -a -z '' ']'
+ '[' –z '' ']'
+ initlog -q -c 'auditd -f'

The above line is where it hangs.

Thanks again

Last edited by jc56dc57; 04-20-2011 at 05:24 PM. Reason: extraneous characters inserted during cut and paste of the trace
 
Old 04-20-2011, 06:24 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,361
Blog Entries: 55

Rep: Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547Reputation: 3547
Quote:
Originally Posted by jc56dc57 View Post
+ initlog -q -c 'auditd -f'
The problem here with 'initlog' is that how it is used in the function "daemon" inside sourced /etc/rc.d/init.d/functions is that with "-q" it will not make regular 'auditd' output show up in syslog, thus making you lose possible clues...


Quote:
Originally Posted by jc56dc57 View Post
Exactly, how do I disable the startup script from single user mode?
As root issue '/sbin/chkconfig --level 12345 auditd off' to keep it from starting up on boot.


Quote:
Originally Posted by jc56dc57 View Post
Once, I disable the startup script, I reboot the machine, correct?
Yes or run 'telinit 3' if you want to move to multi-user networked mode.


Quote:
Originally Posted by jc56dc57 View Post
After, it has rebooted, then I manually run the startup script, correct? (how?)
I suggest you first run it as '/sbin/auditd -f' as this would show errors in the console and keeps the process in the foreground making it easier to CTRL+C when you hit an error. Another way could be to backup your current audit.rules and start with a clean slate, review all rules, add them one by one (also see 'man auditctl') and test. The most efficient way IMHO however would be to revisit changes you made as that's what caused all the trouble in the first place. If you have no recollection or evidence of changes (user shell history, syslog, admin log, backups) then by now you know why making backups comes in handy, why some people prefer to track configuration changes using any revision control system and why some keep admin change logs...
 
Old 04-27-2011, 06:27 PM   #6
jc56dc57
LQ Newbie
 
Registered: Apr 2011
Posts: 4

Original Poster
Rep: Reputation: 0
Okay, I removed "-q" and isolated the problem but, still no solution. I changed the .conf and rules files back to their defaults. When I run "initlog -c 'auditd -f'" (without the double quotes), I get the following:

[root@localhost ~]# initlog -c 'auditd -f'
Config file /etc/auditd.conf opened for parsing
log_file_parser called with: /var/log/audit/audit.log
log_format_parser called with: RAW
priority_boost_parser called with: 3
type=DAEMON_START msg=audit(1303942778.014:4537) auditd start, ver=1.0.15, format=raw, auid=4294967295 res=sucess, auditd pid=14874
type=CONFIG_CHANGE msg=audit(1303942778.013:3): audit_enabled=1 old=0 by auid=4294967295
flush_parser called with: INCREMENTAL
freq_parser called with: 20
num_logs_parser called with: 4
max_log_size_parser called with: 5
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
config_manager init complete
Init complete, auditd 1.0.15 listening for events


The cursor just blinks here, it never returns to the command prompt. I’m assuming this is where it is hanging in the startup script. How do I force it to exit and/or release back to the system so thing can continue in the startup script?

Last edited by jc56dc57; 04-27-2011 at 06:45 PM. Reason: Accidently hit the enter key before I finished the post.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how can I "cat" or "grep" a file to ignore lines starting with "#" ??? callagga Linux - Newbie 7 08-16-2013 07:58 AM
system(ubuntu) waits too long at "starting cupsd" during boot grindelwald Linux - Software 1 07-19-2008 06:26 AM
Newbie install: Why does computer hang on "starting pcmcia" on boot? JayBlade Red Hat 3 06-02-2007 11:55 AM
Boot freezes at "Starting HAL daemon" after Kernel recompile DiBosco Linux - Software 2 04-14-2007 06:53 AM
"Starting System Logger" during boot time, stopping boot process. quickNitin Linux - Newbie 1 06-08-2006 02:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration