Audit messages being disabled
Robert Nichols
rnicholsNOSPAM at comcast.net
Thu Apr 22 03:11:12 UTC 2010
Any ideas how I can track down what might be blocking the logging of
audit messages to /var/log/audit/audit.log? The last entry there
is at 12:56:16 today, which is just as the system was coming up after
a reboot (matches the timestamps for the never-used LOGIN entries in
/var/run/utmp). I do see these lines in /var/log/messages right
afterward:
Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17143):
auid=4294967295 ses=4294967295 subj=system_u:system_r:readahead_t:s0 op="remove
rule" key=(null) list=4 res=0
Apr 21 12:56:26 omega-3a kernel: type=1305 audit(1271872586.681:17144):
audit_enabled=0 old=1 auid=4294967295 ses=4294967295
subj=system_u:system_r:readahead_t:s0 res=1
Thereafter, there are "dbus: Can't send to audit system" messages.
The auditd service shows as running. If I restart auditd, audit.log
shows "auditd normal halt" and "auditd start" messages, and after that
messages do get logged to audit.log.
I have no clue what might be setting audit_enabled=0 in the kernel,
but that "remove rule" message just before makes me suspicious that
it's SElinux related.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the selinux
mailing list