Greetings:
i have an x86_64 Centos5.3 box and i'm trying to run auditd. it fails on startup and this is the O/P at the end:
config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1260554376.697:5674): auditd error halt, auid=4294967295 pid=32702 res=failed Unable to set audit pid, exiting The audit daemon is exiting. Error setting audit daemon pid (Connection refused)
the only thing i've learned from asking google is that it's a potential problem with the interaction between selinux & auditd, but i haven't found a solution.
two questions:
1. anyone know what the problem is? (that or my next step in diagnosing it)
2. if i can't solve it, is there an alternative method for adding watchpoints to directories such that i can be notified of WRITE events for files in that directory (and preferably for all of it's subdirectories)?
My kernel version is 2.6.18 (full info below). The audit version is audit.x86_64 0:1.7.13-2.el5
thanks --tom
Name : kernel Arch : x86_64 Version : 2.6.18 Release : 164.6.1.el5 Size : 18 M Repo : updates Summary : The Linux kernel (the core of the Linux operating system) URL : http://www.kernel.org/
Tom Laramee wrote:
Greetings:
i have an x86_64 Centos5.3 box and i'm trying to run auditd. it fails on startup and this is the O/P at the end:
config_manager init complete Error setting audit daemon pid (Connection refused) type=DAEMON_ABORT msg=audit(1260554376.697:5674): auditd error halt, auid=4294967295 pid=32702 res=failed Unable to set audit pid, exiting The audit daemon is exiting. Error setting audit daemon pid (Connection refused)
the only thing i've learned from asking google is that it's a potential problem with the interaction between selinux & auditd, but i haven't found a solution.
two questions:
- anyone know what the problem is? (that or my next step in diagnosing it)
Are you running selinux in enforcing or permissive mode? sestatus to check - suggest you post
- if i can't solve it, is there an alternative method for adding watchpoints to directories such that i can be notified of WRITE events for files in that directory (and preferably for all of it's subdirectories)?
Consider running aide and ossec - these can notify you of changes to critical files and folders.
My kernel version is 2.6.18 (full info below). The audit version is audit.x86_64 0:1.7.13-2.el5
thanks --tom
Name : kernel Arch : x86_64 Version : 2.6.18 Release : 164.6.1.el5 Size : 18 M Repo : updates Summary : The Linux kernel (the core of the Linux operating system) URL : http://www.kernel.org/
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos