The server is configured as low latency sensitive server, we would like to enable auditd in order to setup some audit rules, however the service auditd enabled but failed to start.
[2023-05-14 00:44:25 root@stxls15p ~]$ uname -r
3.10.0-1160.15.2.1.el7.SPC.x86_64
[2023-05-13 11:23:58 root@stxls15p ~]$ cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-1160.15.2.1.el7.SPC.x86_64 root=/dev/mapper/vg_root-root ro crashkernel=auto rd.lvm.lv=vg_root/root rd.lvm.lv=vg_root/swap rhgb quiet rd.shell=0 intel_idle.max_cstate=0 processor.max_cstate=0 elevator=noop idle=poll transparent_hugepage=never pcie_aspm.policy=performance net.ifnames=0 isolcpus=1-11,13-23 nohz_full=1-11,13-23 rcu_nocbs=1-11,13-23 rcu_nocb_poll nosoftlockup noibrs noibpb nopti spectre_v2=off mce=ignore_ce auditd=unset tsc=reliable nowatchdog
[2023-05-13 11:27:02 root@stxls15p ~]$ grep CONFIG_AUDIT /boot/config-`uname -r`
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
[2023-05-13 11:23:48 root@stxls15p ~]$ systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2023-05-13 11:06:08 CEST; 17min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 1255 ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules (code=exited, status=1/FAILURE)
Process: 1250 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE)
May 13 11:06:08 stxls15p systemd[1]: Starting Security Auditing Service...
May 13 11:06:08 stxls15p systemd[1]: auditd.service: control process exited, code=exited status=1
May 13 11:06:08 stxls15p auditctl[1255]: Error - audit support not in kernel
May 13 11:06:08 stxls15p systemd[1]: auditd.service: control process exited, code=exited status=1
May 13 11:06:08 stxls15p systemd[1]: Failed to start Security Auditing Service.
May 13 11:06:08 stxls15p systemd[1]: Unit auditd.service entered failed state.
May 13 11:06:08 stxls15p systemd[1]: auditd.service failed.
[2023-05-13 11:24:07 root@stxls15p ~]$ auditctl -t
Error - audit support not in kernel
Cannot open netlink audit socket
Error - audit support not in kernel & Cannot open netlink audit socket
Re: Error - audit support not in kernel & Cannot open netlink audit socket
That's not a CentOS supplied kernel. Boot one from CentOS and try that.
Your running kernel is also ancient - 1160.15.2.1 is from Feb 2021 so is over 2 years out of date. The current CentOS 7 kernel is 3.10.0-1160.90.1.el7.x86_64
Your running kernel is also ancient - 1160.15.2.1 is from Feb 2021 so is over 2 years out of date. The current CentOS 7 kernel is 3.10.0-1160.90.1.el7.x86_64
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke