Results 1 to 2 of 2

Thread: boot message "failed to start security services" (auditd) - OK to enable?

  1. #1
    Join Date
    Aug 2008
    Location
    Brazil
    Posts
    3,240

    Default boot message "failed to start security services" (auditd) - OK to enable?

    Boot console list this error: "failed to start security services"

    From https://lists.opensuse.org/opensuse-.../msg02279.html this was due to missing /var/log/audit folder, giving an error when running:
    Code:
    # auditd -f
    Config file /etc/audit/auditd.conf opened for parsing
    log_file_parser called with: /var/log/audit/audit.log
    Could not open dir /var/log/audit (No such file or directory)
    The audit daemon is exiting.
    After creating the folder with 640 permissions it works:
    Code:
    # auditd -f
    Config file /etc/audit/auditd.conf opened for parsing
    log_file_parser called with: /var/log/audit/audit.log
    log_format_parser called with: RAW
    log_group_parser called with: root
    priority_boost_parser called with: 4
    flush_parser called with: INCREMENTAL
    freq_parser called with: 20
    num_logs_parser called with: 5
    qos_parser called with: lossy
    dispatch_parser called with: /sbin/audispd
    name_format_parser called with: NONE
    max_log_size_parser called with: 6
    max_log_size_action_parser called with: ROTATE
    space_left_parser called with: 75
    space_action_parser called with: SYSLOG
    action_mail_acct_parser called with: root
    admin_space_left_parser called with: 50
    admin_space_left_action_parser called with: SUSPEND
    disk_full_action_parser called with: SUSPEND
    disk_error_action_parser called with: SUSPEND
    tcp_listen_queue_parser called with: 5
    tcp_max_per_addr_parser called with: 1
    tcp_client_max_idle_parser called with: 0
    Started dispatcher: /sbin/audispd pid: 5604
    type=DAEMON_START msg=audit(1519173689.827:4634): auditd start, ver=2.3.6 format=raw kernel=4.4.114-42-default auid=1000 pid=5602 subj=unconfined  res=success
    config_manager init complete
    Init complete, auditd 2.3.6 listening for events (startup state enable)
    type=USER_ACCT msg=audit(1519173901.967:50): pid=6218 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_listfile acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    type=CRED_ACQ msg=audit(1519173901.967:51): pid=6218 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    type=LOGIN msg=audit(1519173901.967:52): pid=6218 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=2 res=1                                           
    type=USER_ACCT msg=audit(1519173902.003:53): pid=6219 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix acct="root" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'                                                                                                
    type=USER_START msg=audit(1519173902.003:54): pid=6219 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_limits,pam_unix,pam_umask,pam_systemd,pam_gnome_keyring,pam_env acct="root" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    type=USER_START msg=audit(1519173902.031:55): pid=6218 uid=0 auid=0 ses=2 msg='op=PAM:session_open grantors=pam_loginuid,pam_limits,pam_unix,pam_umask,pam_systemd,pam_gnome_keyring,pam_env acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    type=CRED_REFR msg=audit(1519173902.031:56): pid=6218 uid=0 auid=0 ses=2 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    type=CRED_DISP msg=audit(1519173902.063:57): pid=6218 uid=0 auid=0 ses=2 msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    type=USER_END msg=audit(1519173902.063:58): pid=6218 uid=0 auid=0 ses=2 msg='op=PAM:session_close grantors=pam_loginuid,pam_limits,pam_unix,pam_umask,pam_systemd,pam_gnome_keyring,pam_env acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    type=USER_END msg=audit(1519173902.083:59): pid=6224 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close grantors=pam_selinux,pam_selinux,pam_limits,pam_unix,pam_umask,pam_systemd,pam_gnome_keyring,pam_env acct="root" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    And a 0-byte /var/log/audit/audit.log file is created.

    My question is if there is any adverse consequence in enabling it, if it is unnecessary (perhaps redundant with SELinux) or if the missing folder is just an installation glitch.

    TIA

  2. #2
    Join Date
    Aug 2008
    Location
    Brazil
    Posts
    3,240

    Default Re: boot message "failed to start security services" (auditd) - OK to enable?

    Quote Originally Posted by brunomcl View Post
    (perhaps redundant with SELinux)
    I mean AppArmor, sorry.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •