Auditd Service Breaks With "auditd.service: main process exited, code=exited, status=6" (Doc ID 2717983.1)

Last updated on OCTOBER 07, 2022

Applies to:

Symptoms

The kernel "auditd" service breaks while updating the audit config or rules files, and after restarting the auditd service. The script throws an error and auditd fails with "auditd.service: main process exited, code=exited, status=6".

# service auditd restart
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl start auditd.service
Job for auditd.service failed because the control process exited with error code. See "systemctl status auditd.service" and "journalctl -xe" for details.

# systemctl status auditd.service
 . auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-09-17 12:57:19 GMT; 21s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 28032 ExecStart=/sbin/auditd (code=exited, status=6)
Main PID: 1211 (code=exited, status=0/SUCCESS)

Sep 17 12:57:19  systemd[1]: Starting Security Auditing Service...
Sep 17 12:57:19  systemd[1]: auditd.service: control process exited, code=exited status=6
Sep 17 12:57:19  systemd[1]: Failed to start Security Auditing Service.
Sep 17 12:57:19  systemd[1]: Unit auditd.service entered failed state.
Sep 17 12:57:19  systemd[1]: auditd.service failed.

Changes

Performing system-wide hardening, using ansible to update the audit config or rules in a automated manner to manage multiple hosts in an IT infrastructure. It is not mandatory to have used ansible, there could be manual script executed or inadverted filesystem changes.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.