Auditd.service failed to start: Start request repeated too quickly

I needed auditd for some apparmor stuff:
https://wiki.archlinux.org/title/AppArmor#Auditing_and_generating_profiles

But it is failing to start


sudo systemctl status auditd.service      
× auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Thu 2022-11-10 19:37:08 IST; 6s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 28420 ExecStart=/sbin/auditd (code=exited, status=6)
        CPU: 8ms

Nov 10 19:37:08 austin-swiftsf31443 systemd[1]: auditd.service: Scheduled restart job, restart counter is at 5.
Nov 10 19:37:08 austin-swiftsf31443 systemd[1]: Stopped Security Auditing Service.
Nov 10 19:37:08 austin-swiftsf31443 systemd[1]: auditd.service: Start request repeated too quickly.
Nov 10 19:37:08 austin-swiftsf31443 systemd[1]: auditd.service: Failed with result 'exit-code'.
Nov 10 19:37:08 austin-swiftsf31443 systemd[1]: Failed to start Security Auditing Service.

https://wiki.archlinux.org/title/Audit_framework

In-kernel audit support is available in linux (since 4.18), linux-lts (since 4.19), linux-zen (since 4.18) and linux-hardened. For custom kernels CONFIG_AUDIT should be enabled.
...
Audit can be enabled at boot-time by setting audit=1 as kernel parameter. This will ensure that all processes that run before the audit daemon starts are marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit. See auditd(8).

For userspace support install audit and start/enable auditd.service.

Could this be the problem?
We don't have your garuda-inxi :wink: but in the profile I see
Kernel: linux-cachyos

2 Likes
austin  ~  20:26  garuda-inxi 
System:
  Kernel: 6.0.7-2-cachyos arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-cachyos
    root=UUID=974f3ce6-ba35-41c5-a737-23cb1e2b873f rw [email protected]
    lsm=landlock,lockdown,yama,integrity,apparmor,bpf quiet splash
    mitigations=off rd.udev.log_priority=3 vt.global_cursor_default=0
    loglevel=3 amd_pstate.epp=1 audit=1
  Desktop: GNOME v: 43.1 tk: GTK v: 3.24.34 wm: gnome-shell dm: GDM v: 43.0
    Distro: Garuda Linux base: Arch Linux
Machine:
  Type: Laptop System: Acer product: Swift SF314-43 v: V1.04
    serial: <superuser required>
  Mobo: LN model: Sake_CA v: V1.04 serial: <superuser required> UEFI: Insyde
    v: 1.04 date: 07/28/2021
Battery:
  ID-1: BAT1 charge: 44.9 Wh (94.1%) condition: 47.7/53.2 Wh (89.5%)
    volts: 12.5 min: 11.6 model: COSMX AP20CBL type: Li-ion serial: <filter>
    status: discharging
CPU:
  Info: model: AMD Ryzen 5 5500U with Radeon Graphics bits: 64 type: MT MCP
    arch: Zen 2 gen: 3 level: v3 note: check built: 2020-22
    process: TSMC n7 (7nm) family: 0x17 (23) model-id: 0x68 (104) stepping: 1
    microcode: 0x8608102
  Topology: cpus: 1x cores: 6 tpc: 2 threads: 12 smt: enabled cache:
    L1: 384 KiB desc: d-6x32 KiB; i-6x32 KiB L2: 3 MiB desc: 6x512 KiB L3: 8 MiB
    desc: 2x4 MiB
  Speed (MHz): avg: 817 high: 2071 min/max: 400/4056 scaling:
    driver: amd_pstate_epp governor: performance cores: 1: 2071 2: 2071 3: 400
    4: 400 5: 400 6: 400 7: 400 8: 400 9: 400 10: 400 11: 400 12: 2071
    bogomips: 50353
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
  Vulnerabilities:
  Type: itlb_multihit status: Not affected
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data status: Not affected
  Type: retbleed status: Vulnerable
  Type: spec_store_bypass status: Vulnerable
  Type: spectre_v1 status: Vulnerable: __user pointer sanitization and
    usercopy barriers only; no swapgs barriers
  Type: spectre_v2 status: Vulnerable, IBPB: disabled, STIBP: disabled,
    PBRSB-eIBRS: Not affected
  Type: srbds status: Not affected
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: AMD Lucienne vendor: Acer Incorporated ALI driver: amdgpu
    v: kernel arch: GCN-5.1 code: Vega-2 process: TSMC n7 (7nm) built: 2018-21
    pcie: gen: 3 speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s
    ports: active: eDP-1 empty: DP-1,HDMI-A-1 bus-ID: 03:00.0
    chip-ID: 1002:164c class-ID: 0300 temp: 41.0 C
  Device-2: Quanta HD User Facing type: USB driver: uvcvideo bus-ID: 1-3:2
    chip-ID: 0408:a094 class-ID: 0e02
  Display: wayland server: X.org v: 1.21.1.4 with: Xwayland v: 22.1.5
    compositor: gnome-shell driver: X: loaded: modesetting alternate: fbdev,vesa
    dri: radeonsi gpu: amdgpu display-ID: 0
  Monitor-1: eDP-1 model: AU Optronics 0x683d built: 2019 res: 1920x1080
    dpi: 158 gamma: 1.2 size: 309x174mm (12.17x6.85") diag: 355mm (14")
    ratio: 16:9 modes: max: 1920x1080 min: 640x480
  API: OpenGL v: 4.6 Mesa 22.2.3 renderer: AMD Radeon Graphics (renoir LLVM
    14.0.6 DRM 3.48 6.0.7-2-cachyos) direct render: Yes
Audio:
  Device-1: AMD Renoir Radeon High Definition Audio
    vendor: Acer Incorporated ALI driver: snd_hda_intel v: kernel pcie: gen: 3
    speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s bus-ID: 03:00.1
    chip-ID: 1002:1637 class-ID: 0403
  Device-2: AMD ACP/ACP3X/ACP6x Audio Coprocessor
    vendor: Acer Incorporated ALI driver: snd_rn_pci_acp3x v: kernel
    alternate: snd_pci_acp3x,snd_pci_acp5x,snd_pci_acp6x,snd_acp_pci,snd_rpl_pci_acp6x,snd_sof_amd_renoir
    pcie: gen: 3 speed: 8 GT/s lanes: 16 link-max: gen: 4 speed: 16 GT/s
    bus-ID: 03:00.5 chip-ID: 1022:15e2 class-ID: 0480
  Device-3: AMD Family 17h/19h HD Audio vendor: Acer Incorporated ALI
    driver: snd_hda_intel v: kernel pcie: gen: 3 speed: 8 GT/s lanes: 16
    link-max: gen: 4 speed: 16 GT/s bus-ID: 03:00.6 chip-ID: 1022:15e3
    class-ID: 0403
  Sound API: ALSA v: k6.0.7-2-cachyos running: yes
  Sound Server-1: PulseAudio v: 16.1 running: no
  Sound Server-2: PipeWire v: 0.3.59 running: yes
Network:
  Device-1: MEDIATEK MT7921 802.11ax PCI Express Wireless Network Adapter
    vendor: Lite-On driver: mt7921e v: kernel pcie: gen: 2 speed: 5 GT/s
    lanes: 1 bus-ID: 01:00.0 chip-ID: 14c3:7961 class-ID: 0280
  IF: wlp1s0 state: up mac: <filter>
Bluetooth:
  Device-1: Lite-On Wireless_Device type: USB driver: btusb v: 0.8
    bus-ID: 1-4:3 chip-ID: 04ca:3802 class-ID: e001 serial: <filter>
  Report: bt-adapter ID: hci0 rfk-id: 0 state: down
    bt-service: enabled,running rfk-block: hardware: no software: yes
    address: <filter>
Drives:
  Local Storage: total: 476.94 GiB used: 43.38 GiB (9.1%)
  SMART Message: Required tool smartctl not installed. Check --recommends
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Kingston model: OM8PDP3512B-AA1
    size: 476.94 GiB block-size: physical: 512 B logical: 512 B speed: 31.6 Gb/s
    lanes: 4 type: SSD serial: <filter> rev: EDFK0S03 temp: 53.9 C scheme: GPT
Partition:
  ID-1: / raw-size: 64.41 GiB size: 64.41 GiB (100.00%)
    used: 16.26 GiB (25.2%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
  ID-2: /boot/efi raw-size: 600 MiB size: 598.8 MiB (99.80%)
    used: 308 KiB (0.1%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:1
  ID-3: /home raw-size: 64 GiB size: 64 GiB (100.00%) used: 1.03 GiB (1.6%)
    fs: btrfs dev: /dev/nvme0n1p3 maj-min: 259:3
  ID-4: /var/log raw-size: 64.41 GiB size: 64.41 GiB (100.00%)
    used: 16.26 GiB (25.2%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
  ID-5: /var/tmp raw-size: 64.41 GiB size: 64.41 GiB (100.00%)
    used: 16.26 GiB (25.2%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
Swap:
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: zram size: 7.12 GiB used: 0 KiB (0.0%) priority: 100
    dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 50.5 C mobo: N/A gpu: amdgpu temp: 41.0 C
  Fan Speeds (RPM): N/A
Info:
  Processes: 403 Uptime: 0m wakeups: 93 Memory: 7.12 GiB
  used: 2.61 GiB (36.7%) Init: systemd v: 251 default: graphical
  tool: systemctl Compilers: gcc: 12.2.0 Packages: 1411 pm: pacman pkgs: 1381
  libs: 359 tools: gnome-software,pamac,paru,yay pm: flatpak pkgs: 30
  Shell: Zsh v: 5.9 running-in: gnome-terminal inxi: 3.3.23
Garuda (2.6.9-1):
  System install date:     2022-11-10
  Last full system update: 2022-11-10
  Is partially upgraded:   No
  Relevant software:       NetworkManager
  Windows dual boot:       No/Undetected
  Snapshots:               Snapper
  Failed units:            auditd.service

Mmm, should be OK:

1 Like

Check also in the journal.
The requests repeated too quickly are probably only due to something failing.
You could start with

journalctl -u auditd

Then "expand" if needed.

5 Likes
 journalctl -u auditd.service


systemd[1]: Starting Security Auditing Service...
auditd[857]: Could not open dir /var/log/audit (No such file or directory)
auditd[857]: The audit daemon is exiting.
systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED systemd[1]: auditd.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Security Auditing Service.
systemd[1]: auditd.service: Scheduled restart job, restart counter is at 1.
systemd[1]: Stopped Security Auditing Service.

 sudo mkdir /var/log/audit

 sudo systemctl start auditd.service

 sudo systemctl status auditd.service
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2022-11-10 21:05:13 IST; 1s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 16097 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 16101 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
   Main PID: 16098 (auditd)
      Tasks: 2 (limit: 8690)
     Memory: 2.7M
        CPU: 28ms
     CGroup: /system.slice/auditd.service
             └─16098 /sbin/auditd

Nov 10 21:05:13 austin-swiftsf31443 systemd[1]: Starting Security Auditing Service...
Nov 10 21:05:13 austin-swiftsf31443 auditd[16098]: No plugins found, not dispatching events
Nov 10 21:05:13 austin-swiftsf31443 auditd[16098]: Init complete, auditd 3.0.8 listening for events (startup state enable)
Nov 10 21:05:13 austin-swiftsf31443 augenrules[16101]: /sbin/augenrules: No rules directory - /etc/audit/rules.d
Nov 10 21:05:13 austin-swiftsf31443 systemd[1]: Started Security Auditing Service.

Thanks, @filo, for your time and a quick solution!
:grinning:

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.