Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2394: Audit start fails with Auditclasses error

Centrify DirectControl ,  

12 April,16 at 11:13 AM

Applies to:
 
All versions of Centrify DirectControl on AIX platforms only.
 
Problem:
 
The following error may occur when trying to start auditing on an IBM server running Centrify DirectControl:
 
# audit start
Failed to update audit classes of user
** failed setting kernel audit objects
 
This has been seen when using CentrifyDC for authentication; the problem will be seen if a Centrify user has an active process in the process table and 'lsuser -a auditclasses <Centrify user>' returns a blank entry for auditclasses rather than not displaying auditclasses at all.
 
Cause:
 
On any AIX system, there is a file called /etc/security/audit/config. The "default line" has to be set. Without any default, adclient defaults to an empty string.
 
Workaround:
 
1) In the below example, this file /etc/security/audit/config shows:
 
users:
        root = auth,audit,system,cron,passwd,obj1,obj2,obj3,obj4,sumon
        default = auth,audit,system,cron,obj1,obj2,obj3,obj4,sumon
 
2) There is another file called /etc/security/user.  Open this file and go to the "default section", there should be a line for auditclasses as follows. It should NOT be empty.
 
auditclasses = auth,audit,system,cron,obj1,obj2,obj3,obj4,sumon
 
3) Cross-check if /etc/security/audit/objects has the following lines by default.
 
/etc/security/environ:
        w = "S_ENVIRON_WRITE"
 
/etc/security/group:
        w = "S_GROUP_WRITE"
 
/etc/security/limits:
        w = "S_LIMITS_WRITE"
 
/etc/security/login.cfg:
        w = "S_LOGIN_WRITE"
 
/etc/security/passwd:
        r = "S_PASSWD_READ"
        w = "S_PASSWD_WRITE"
 
/etc/security/user:
        w = "S_USER_WRITE"
 
/etc/security/audit/config:
        w = "AUD_CONFIG_WR"
 
 
4) After this, the command #adflush should be run to clear thecache.
 
5)  audit daemon should start normally.
 
Resolution:
 
Centrify worked around this problem and confirmed it in the lab.  On a Centrify server running Centrify DirectControl 5.x, the above steps were not needed.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.