auditd service fails with the status of "auditd dead but subsys locked"

Latest response

RHEL Release 5.2 (Tikanga)86_64
I am trying to add a new audit.rules file into /etc/audit. Every line in the new rules file (which works in release 5.5 and above) reports "Error sending add rule dta request (Operation not permitted)There was an error in line X of /etc/audit/rules". I have commented out line after line and always receive this error. The auditd demon will start but crashes shortly after. When I look at the status I get "auditd ead but subsys locked" As the auditing meets a requirement, what do I need to do in order to get the audit service up and running? What permission issues am I encountering and how do I work around them?

Update: After experimenting with auditctl, every command that I issue as root results in "Error sending rquest (Operation is not permitted)

Partial solution:
"auditd dead but sybsys locked" : Removed auditd from /var/lock/subsys

"Operation not permitted" : The rules are immutable. The server will need to be bounced in order for the new rules to take place

STILL AN ISSUE: Auditd service is crashing.

Responses

Hi,

Someone may still chime in on this discussion with an idea, but I suspect your best course of action will be to open a support case for this one.