Error - audit support not in kernel & Cannot open netlink audit socket

nelsonwu3 · May 13, 2023, 10:51pm

The server is configured as low latency sensitive server, we would like to enable auditd in order to setup some audit rules, however the service auditd enabled but failed to start.

[2023-05-14 00:44:25 root@stxls18p ~]$ uname -r
3.10.0-1160.15.2.1.el7.SPC.x86_64

[2023-05-13 11:23:58 root@stxls15p ~]$ cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-1160.15.2.1.el7.SPC.x86_64 root=/dev/mapper/vg_root-root ro crashkernel=auto rd.lvm.lv=vg_root/root rd.lvm.lv=vg_root/swap rhgb quiet rd.shell=0 intel_idle.max_cstate=0 processor.max_cstate=0 elevator=noop idle=poll transparent_hugepage=never pcie_aspm.policy=performance net.ifnames=0 isolcpus=1-11,13-23 nohz_full=1-11,13-23 rcu_nocbs=1-11,13-23 rcu_nocb_poll nosoftlockup noibrs noibpb nopti spectre_v2=off mce=ignore_ce auditd=unset tsc=reliable nowatchdog


[2023-05-13 11:27:02 root@stxls18p ~]$ grep CONFIG_AUDIT /boot/config-`uname -r`
CONFIG_AUDIT_ARCH=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_WATCH=y
CONFIG_AUDIT_TREE=y


[2023-05-13 11:23:48 root@stxls15p ~]$ systemctl status auditd
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2023-05-13 11:06:08 CEST; 17min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 1255 ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules (code=exited, status=1/FAILURE)
  Process: 1250 ExecStart=/sbin/auditd (code=exited, status=1/FAILURE)

May 13 11:06:08 stxls15p systemd[1]: Starting Security Auditing Service...
May 13 11:06:08 stxls15p systemd[1]: auditd.service: control process exited, code=exited status=1
May 13 11:06:08 stxls15p auditctl[1255]: Error - audit support not in kernel
May 13 11:06:08 stxls15p systemd[1]: auditd.service: control process exited, code=exited status=1
May 13 11:06:08 stxls15p systemd[1]: Failed to start Security Auditing Service.
May 13 11:06:08 stxls15p systemd[1]: Unit auditd.service entered failed state.
May 13 11:06:08 stxls15p systemd[1]: auditd.service failed.

[2023-05-13 11:24:07 root@stxls15p ~]$ auditctl -t
Error - audit support not in kernel
Cannot open netlink audit socket

BluishHumility · May 13, 2023, 11:34pm

Hi @nelsonwu3, this is the forum for Garuda Linux, which is not an appropriate place to reach out for help with this issue. It looks like you are running RHEL, or maybe CentOS? Try the forum over there instead: https://forums.centos.org/

system · May 27, 2023, 11:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.