auditd 启动报错如下
Oct 21 09:36:39 localhost kernel: type=1400 audit(1603244199.591:5): avc: denied { read } for pid=3061 comm="auditd" name=" audit" dev="dm-0" ino=100663367 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir
Oct 21 09:36:39 localhost auditd: Could not open dir /var/log/audit (Permission denied)
Oct 21 09:36:39 localhost auditd: The audit daemon is exiting.
Oct 21 09:36:39 localhost systemd: auditd.service: control process exited, code=exited status=6
Oct 21 09:36:39 localhost systemd: Failed to start Security Auditing Service.
Oct 21 09:36:39 localhost systemd: Unit auditd.service entered failed state.
Oct 21 09:36:39 localhost systemd: auditd.service failed.
显示权限不对,网上找了n种方法,尝试过创建文件夹,修改权限等一系列的操作都以失败告终,知其然,知其所以然,audit是selinux记录日志的地方,应该是该路径没有被指定在selinux 的配置文件中,使用以下命令修复
[root@localhost audit]# restorecon -r -v /var/log/audit
restorecon reset /var/log/audit context system_u:object_r:dosf s_t:s0->system_u:object_r:auditd_log_t:s0
[root@localhost audit]# service auditd restart
Stopping logging: [FA ILED]
Redirecting start to /bin/systemctl start auditd.service
查看服务
[root@localhost audit]# service auditd status
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; ena bled; vendor preset: enabled)
Active: active (running) since Wed 2020-10-21 09:57:04 CST; 11s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 3345 ExecStartPost=/sbin/augenrules --load (code=ex ited, status=0/SUCCESS)
Process: 3340 ExecStart=/sbin/auditd (code=exited, status=0/ SUCCESS)
Main PID: 3341 (auditd)
CGroup: /system.slice/auditd.service
└─3341 /sbin/auditd
完美解决
恶心的redhat 在官网上有解决方案,但是由于我不是付费用户,所以无权查看,