auditd 启动报错如下
Oct 21 09:36:39 localhost kernel: type=1400 audit(1603244199.591:5): avc: denied { read } for pid=3061 comm="auditd" name=" audit" dev="dm-0" ino=100663367 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir Oct 21 09:36:39 localhost auditd: Could not open dir /var/log/audit (Permission denied) Oct 21 09:36:39 localhost auditd: The audit daemon is exiting. Oct 21 09:36:39 localhost systemd: auditd.service: control process exited, code=exited status=6 Oct 21 09:36:39 localhost systemd: Failed to start Security Auditing Service. Oct 21 09:36:39 localhost systemd: Unit auditd.service entered failed state. Oct 21 09:36:39 localhost systemd: auditd.service failed.显示权限不对,网上找了n种方法,尝试过创建文件夹,修改权限等一系列的操作都以失败告终,知其然,知其所以然,audit是selinux记录日志的地方,应该是该路径没有被指定在selinux 的配置文件中,使用以下命令修复
[root@localhost audit]# restorecon -r -v /var/log/audit restorecon reset /var/log/audit context system_u:object_r:dosf s_t:s0->system_u:object_r:auditd_log_t:s0 [root@localhost audit]# service auditd restart Stopping logging: [FA ILED] Redirecting start to /bin/systemctl start auditd.service查看服务
[root@localhost audit]# service auditd status Redirecting to /bin/systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; ena bled; vendor preset: enabled) Active: active (running) since Wed 2020-10-21 09:57:04 CST; 11s ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 3345 ExecStartPost=/sbin/augenrules --load (code=ex ited, status=0/SUCCESS) Process: 3340 ExecStart=/sbin/auditd (code=exited, status=0/ SUCCESS) Main PID: 3341 (auditd) CGroup: /system.slice/auditd.service └─3341 /sbin/auditd完美解决
恶心的redhat 在官网上有解决方案,但是由于我不是付费用户,所以无权查看,
