[CentOS] Auditd fails to start : Connection refused

Fri Dec 11 18:27:28 UTC 2009
Rob Kampen <rkampen at kampensonline.com>

Tom Laramee wrote:
> Greetings:
>
> i have an x86_64 Centos5.3 box and i'm trying to run auditd. it fails on startup and this is the O/P at the end:
>
> 	config_manager init complete
> 	Error setting audit daemon pid (Connection refused)
> 	type=DAEMON_ABORT msg=audit(1260554376.697:5674): auditd error halt, auid=4294967295 pid=32702 res=failed
> 	Unable to set audit pid, exiting
> 	The audit daemon is exiting.
> 	Error setting audit daemon pid (Connection refused)
>
> the only thing i've learned from asking google is that it's a potential problem with the interaction between selinux & auditd, but i haven't found a solution.
>
> two questions:
>
> 1. anyone know what the problem is?  (that or my next step in diagnosing it)
>   
Are you running selinux in enforcing or permissive mode? sestatus to 
check - suggest you post
> 2. if i can't solve it, is there an alternative method for adding watchpoints to 
> 	directories such that i can be notified of WRITE events for files in that 
> 	directory (and preferably for all of it's subdirectories)?  
>   
Consider running aide and ossec - these can notify you of changes to 
critical files and folders.
> My kernel version is 2.6.18 (full info below).  
> The audit version is audit.x86_64 0:1.7.13-2.el5   
>
> thanks
> --tom
>
>
> Name       : kernel
> Arch       : x86_64
> Version    : 2.6.18
> Release    : 164.6.1.el5
> Size       : 18 M
> Repo       : updates
> Summary    : The Linux kernel (the core of the Linux operating system)
> URL        : http://www.kernel.org/
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 121 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20091211/e01da3a4/attachment-0005.vcf>