Centos 6.5 auditd fails to start with service or /etc/init.d/audit start
752
Solution 1
On EL (prior to 7) start services on an SELinux-enabled system with run_init
to ensure that SELinux contexts and domain transitions are correct.
run_init service auditd start
Or just enable them to start at boot time, which is preferred.
Your log entries indicate that /var/log/audit
has the wrong security context. To resolve this:
- Update your system. There are new SELinux policy packages which contain many fixes, as well as other updates you are behind on.
- Run
restorecon -r -v /var/log/audit
to fix the security contexts, or better,restorecon -r -v /
to relabel the entire system (which fixes a lot of other potential issues as well).
Solution 2
- invalid options in
/etc/init.d/auditd.conf
will cause it to fail - type
ausearch -m DEAMON_END
to get which line is in error
Related videos on Youtube
Author by
l0s7r
Updated on September 18, 2022Comments
-
l0s7r almost 2 years
I use Gorm raw SQL query, but Web dev pass it on to me multiple parameters. If the parameter is empty, the query will not be performed. At present, I use map to splice the where statement, but it does not seem to work in raw mode。
where := make(map[string]interface{}) if info.UserKey != "" { where["pay_merchant_order.merchant_fk"] = info.UserKey } if info.NickName != "" { where["sys_users.nick_name"] = info.NickName } if info.Type != 0 { where["pay_rate.id"] = info.Type } if info.IsSign != -1 && info.IsSign != 0 { where["pay_order.pay_status"] = info.IsSign } if info.PayOfficialOrder != "" { where["pay_order.pay_official_order"] = info.PayOfficialOrder } if info.Amount != 0 { where["pay_order.pay_amount"] = info.Amount } if info.MOrder != "" { where["pay_merchant_order.order"] = info.MOrder } if info.SOrder != "" { where["pay_merchant_order.sys_order_fk"] = info.SOrder } if info.Phone != "" { where["pay_channel_order.phone"] = info.Phone } if info.Rate != 0 { where["pay_order.pay_rate"] = info.Rate } db := global.GVA_DB.Debug() sql := "select pay_merchant_order.id,pay_merchant_order.order,pay_merchant_order.call_status,sys_users.username,pay_order.url,pay_merchant_order.merchant_fk,pay_order.token,pay_merchant_order.call_back,sys_users.nick_name,pay_order.pay_rate as rate,pay_order.pay_amount,pay_actualamount,pay_order.real_pay_amount,pay_order.pay_official_order,pay_order.pay_sys_order,pay_type.mode,pay_rate.name,pay_merchant_order.is_sign,pay_order.created_at,pay_order.pay_time,pay_order.overdue_time,pay_channel_order.phone from pay_merchant_order LEFT JOIN pay_order ON pay_order.pay_sys_order = pay_merchant_order.sys_order_fk LEFT JOIN sys_users ON sys_users.unique = pay_order.pay_merchant LEFT JOIN pay_channel ON pay_channel.id = pay_order.pay_channel_fk LEFT JOIN pay_rate ON pay_rate.id = pay_channel.rate_fk LEFT JOIN pay_payment_type ON pay_payment_type.id = pay_channel.channel_type_fk LEFT JOIN pay_type ON pay_type.id = pay_order.pay_type left join pay_channel_order on pay_channel_order.order_fk = pay_merchant_order.sys_order_fk" db.Raw(sql).Where(where).Group("pay_merchant_order.id").Order("pay_merchant_order.created_at desc").Scan(&payMerchantOrders) err = db.Count(&total).Error err = db.Limit(limit).Offset(offset).Error
Please tell me how to splice the query conditions.
-
Michael Hampton over 9 years@Jepper You've probably messed up some security contexts, as I mentioned before. First, update your system. Then fix the labels for everything:
restorecon -r -v /
Then reboot. -
Jepper over 9 yearsOk done that. It gets weirder. I've sudu -i then, -
[root@system01 ~]# run_init service auditd start \n Authenticating myuser. \n Password:
-
Michael Hampton over 9 yearsWell, you could always just authenticate.
-
Jepper over 9 yearsI'm root when I run run_init. Regardless, if I tap in my password for myuser,
Starting auditd: [FAILED]
-
Urhixidur over 6 yearsThat should be
DAEMON_END
, probably. Regardless, running/sbin/ausearch ...
solved my problem without finding anyauditd.conf
issues: it reported right away that"audit.log is not writable by owner"
. Sure enough,auditd
was refusing to start because/var/log/audit/audit.log
was read-only. -
l0s7r over 3 yearsbut,my paging total is invalid