My Oracle Support Banner

Oracle Linux: Auditd Service Fails to Start During System Booting Process (Doc ID 2471846.1)

Last updated on MAY 27, 2020

Applies to:

Linux OS - Version Oracle Linux 7.0 and later
Linux x86-64

Symptoms

On Oracle Linux 7 system the Security Auditing Service is failing to start during the boot process, during the boot process we may see the following event under the system messages log file.

Nov  6 15:50:39 hostname systemd: Starting Security Auditing Service...
Nov  6 15:50:39 hostname kernel: type=1400 audit(1541541039.845:4): avc:  denied  { read } for  pid=735 comm="auditd" name="audit" dev="dm-6" ino=131 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:initrc_var_log_t:s0 tclass=dir
Nov  6 15:50:39 hostname auditd: Could not open dir /var/log/audit (Permission denied)
Nov  6 15:50:39 hostname auditd: The audit daemon is exiting.
Nov  6 15:50:39 hostname systemd: Mounted /var/log/audit.
Nov  6 15:50:39 hostname systemd: auditd.service: control process exited, code=exited status=6
Nov  6 15:50:39 hostname systemd: Failed to start Security Auditing Service.
Nov  6 15:50:39 hostname systemd: Unit auditd.service entered failed state.
Nov  6 15:50:39 hostname systemd: auditd.service failed.

But the service does start properly when manually starting after the system has booted completely

# systemctl status auditd
● auditd.service - Security Auditing Service
  Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
  Active: active (running) since Mon 2018-11-12 08:24:44 CST; 8min ago
    Docs: man:auditd(8)
          https://github.com/linux-audit/audit-documentation
 Process: 26758 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
 Process: 26753 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 26754 (auditd)
  CGroup: /system.slice/auditd.service
          └─26754 /sbin/auditd

Nov 12 08:24:44 hostname augenrules[26758]: /sbin/augenrules: No change
Nov 12 08:24:44 hostname augenrules[26758]: No rules
Nov 12 08:24:44 hostname augenrules[26758]: enabled 2
Nov 12 08:24:44 hostname augenrules[26758]: failure 1
Nov 12 08:24:44 hostname augenrules[26758]: pid 26754
Nov 12 08:24:44 hostname augenrules[26758]: rate_limit 0
Nov 12 08:24:44 hostname augenrules[26758]: backlog_limit 64
Nov 12 08:24:44 hostname augenrules[26758]: lost 0
Nov 12 08:24:44 hostname augenrules[26758]: backlog 3
Nov 12 08:24:44 hostname systemd[1]: Started Security Auditing Service.

Changes

No changes has been made to the system.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.