Hello, On Thursday, May 26, 2016 03:03:11 PM Christian Boltz wrote: > I'd like to ask for a more useful error message in auditd ;-) > > If audit.log is world-readable (chmod 644 [1]), auditd refuses to start. > > The problem is that it gives a completely useless error message when > doing that: > > # systemctl status auditd.service > ● auditd.service - Security Auditing Service > Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor > preset: enabled) Active: failed (Result: exit-code) since Sa 2016-05-21 > 12:43:55 CEST; 4min 14s ago Process: 8656 ExecStartPost=/sbin/augenrules > --load (code=exited, status=0/SUCCESS) Process: 8654 ExecStart=/sbin/auditd > -n (code=exited, status=6) > Main PID: 8654 (code=exited, status=6) > > Mai 21 12:43:55 tux systemd[1]: Starting Security Auditing Service... > Mai 21 12:43:55 tux systemd[1]: auditd.service: Main process exited, > code=exited, status=6/NOTCONFIGURED Mai 21 12:43:55 tux augenrules[8656]: > /sbin/augenrules: No change > Mai 21 12:43:55 tux augenrules[8656]: No rules > Mai 21 12:43:55 tux systemd[1]: Failed to start Security Auditing Service. > Mai 21 12:43:55 tux systemd[1]: auditd.service: Unit entered failed state. > Mai 21 12:43:55 tux systemd[1]: auditd.service: Failed with result > 'exit-code'. > > > Exit status 6/NOTCONFIGURED is not really helpful and not even a > correct) information :-( > > After searching around, reading the manpage etc. I tried to start auditd > manually in debug mode: > > > # auditd -f > Config file /etc/audit/auditd.conf opened for parsing log_file_parser called > with: /var/log/audit/audit.log /var/log/audit/audit.log permissions should > be 0600 or 0640 > The audit daemon is exiting. > > > Now _that_ is a useful message and clearly states what the problem is. > > Can you please change auditd so that it prints or logs this useful > message independent of the given parameters?
This is the code you are talking about: https://fedorahosted.org/audit/browser/trunk/src/auditd-config.c#L618 It is LOG_ERR, so it should be captured by syslog. Not sure what else can be done. -Steve > In case it matters: I'm using openSUSE Tumbleweed with audit 2.5. > > > Regards, > > Christian Boltz > > [1] I did that chmod to make testing of aa-logprof (part of the AppArmor > userspace tools) easier. > > > I see no "do" in your script, so this will give you a "syntax error > > near unexpected token `done'" after shutdown ;-)) > > I've been hearing funny noises after shutdown, that must be it :-) > [> Christian Boltz and Chris Maaskant in opensuse] > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit