The server is configured as low latency sensitive server, we would like to enable auditd in order to setup some audit rules, however the service auditd enabled but failed to start.
[2023-05-14 00:44:25 [email protected] ~]$ uname -r
3.10.0-1160.15.2.1.el7.SPC.x86_64
[2023-05-13 11:23:58 [email protected] ~]$ cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-1160.15.2.1.el7.SPC.x86_64 root=/dev/mapper/vg_root-root ro crashkernel=auto rd.lvm.lv=vg_root/root rd.lvm.lv=vg_root/swap rhgb quiet rd.shell=0 intel_idle.max_cstate=0 processor.max_cstate=0 elevator=noop idle=poll transparent_hugepage=never pcie_aspm.policy=performance net.ifnames=0 isolcpus=1-11,13-23 nohz_full=1-11,13-23 rcu_nocbs=1-11,13-23 rcu_nocb_poll nosoftlockup noibrs noibpb nopti spectre_v2=off mce=ignore_ce auditd=unset tsc=reliable nowatchdog
[2023-05-13 11:27:02 [email protected] ~]$ grep CONFIG_AUDIT /boot/config-`uname -r`
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y
[2023-05-13 11:23:48 [email protected] ~]$ systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Sat 2023-05-13 11:06:08 CEST; 17min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 1255 ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules (code=exited, status=1/FAILURE)
Process: 1250 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE)
May 13 11:06:08 stxls15p systemd[1]: Starting Security Auditing Service...
May 13 11:06:08 stxls15p systemd[1]: auditd.service: control process exited, code=exited status=1
May 13 11:06:08 stxls15p auditctl[1255]: Error - audit support not in kernel
May 13 11:06:08 stxls15p systemd[1]: auditd.service: control process exited, code=exited status=1
May 13 11:06:08 stxls15p systemd[1]: Failed to start Security Auditing Service.
May 13 11:06:08 stxls15p systemd[1]: Unit auditd.service entered failed state.
May 13 11:06:08 stxls15p systemd[1]: auditd.service failed.
[2023-05-13 11:24:07 [email protected] ~]$ auditctl -t
Error - audit support not in kernel
Cannot open netlink audit socket