auditd service fails with the status of "auditd dead but subsys locked"
RHEL Release 5.2 (Tikanga)86_64
I am trying to add a new audit.rules file into /etc/audit. Every line in the new rules file (which works in release 5.5 and above) reports "Error sending add rule dta request (Operation not permitted)There was an error in line X of /etc/audit/rules". I have commented out line after line and always receive this error. The auditd demon will start but crashes shortly after. When I look at the status I get "auditd ead but subsys locked" As the auditing meets a requirement, what do I need to do in order to get the audit service up and running? What permission issues am I encountering and how do I work around them?
Update: After experimenting with auditctl, every command that I issue as root results in "Error sending
Partial solution:
"auditd dead but sybsys locked" : Removed auditd from /var/lock/subsys
"Operation not permitted" : The rules are immutable. The server will need to be bounced in order for the new rules to take place
STILL AN ISSUE: Auditd service is crashing.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
