Ask Your Question
2

audit messages flooding dmesg output

asked 2016-04-30 18:36:22 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am running Fedora 23 x64 Workstation edition on my ASUS TP300LA notebook. Seeing lots of audit messages on the dmesg output (see below).

To my inexperienced eyes, it looks like what I am seeing here is similar to the bug reported (Bug 1227379 - Audit events on /var/log/messages) reported on Fedora 22. Is that correct?

[11447.564304] audit: type=1130 audit(1462055704.308:634): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[11447.564324] audit: type=1131 audit(1462055704.308:635): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[12569.938586] audit: type=1105 audit(1462056826.601:636): pid=29271 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
[12633.315688] audit: type=1105 audit(1462056889.974:637): pid=29602 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
[12943.594406] audit: type=1325 audit(1462057200.232:639): table=filter family=2 entries=0
[12943.594850] audit: type=1325 audit(1462057200.232:640): table=nat family=2 entries=0
[12943.594870] audit: type=1325 audit(1462057200.232:641): table=mangle family=2 entries=0
[12943.594882] audit: type=1325 audit(1462057200.232:642): table=raw family=2 entries=0
[12943.594896] audit: type=1325 audit(1462057200.232:643): table=security family=2 entries=0
[12943.594916] audit: type=1325 audit(1462057200.232:644): table=filter family=10 entries=0
[12943.594938] audit: type=1325 audit(1462057200.232:645): table=nat family=10 entries=0
[12943.594955] audit: type=1325 audit(1462057200.232:646): table=mangle family=10 entries=0
[12943.594965] audit: type=1325 audit(1462057200.232:647): table=raw family=10 entries=0

I tried the second option suggested in Comment 65

If you want to keep auditing enabled, but disable its logging by journald, you can use

systemctl mask systemd-journald-audit.socket

and restart journald.

but there was no effect on my system. I am still seeing these audit messages.

I don't have an /etc/rsyslog.conf file on my system.

How do I get to stop these audit messages flooding my system? Please can someone guide me through this?

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2016-05-01 07:54:22 -0500

On my Fedora 22 System the audit also spammed my logfile. I was able to get rid of it by adding audit=0 as a kernel option to grub. Best is to add it to /etc/default/grub and append it in the GRUB_CMDLINE_LINUX= section.

edit flag offensive delete link more

Comments

Thanks for your input @thomaswood.

For now, I have used this option to disable audit completely but I don't know if turning off audit completely i such a good idea - i.e. added audit=0 to GRUB_CMDLINE_LINUX= and executed sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfgConfiguring the GRUB bootloader

Option 2 or 3 in Comment 65 seem like the more reasonable thing to do. I am hoping someone can give guidance on how to do that.

JetStream gravatar imageJetStream ( 2016-05-01 12:27:56 -0500 )edit
1

Please don't turn off audit, it is a useful security feature intended to prevent attacks to your computer.

genodeftest gravatar imagegenodeftest ( 2016-05-02 03:40:36 -0500 )edit

The Linux Auditing System just records violations that are configured. If you do not make use of those records/logs, it makes no sense to keep them. It does not add extra security, it just enables you or the admin to recognize violations so one could react.

thomaswood gravatar imagethomaswood ( 2016-05-02 04:51:51 -0500 )edit
0

answered 2016-05-08 00:34:05 -0500

AM gravatar image

It doesn't completely get rid of the problem, but I use "auditctl -e 0"

edit flag offensive delete link more

Comments

I was researching this a bit. If you haven't already, it is worth checking once again this has stopped the spamming - see Bug 1227379 Comment 15 and the 2 subsequent comments

JetStream gravatar imageJetStream ( 2016-05-17 02:53:48 -0500 )edit
0

answered 2016-05-02 03:42:08 -0500

genodeftest gravatar image

If you really don't want audit logging in syslog, have a look at man 5 auditd.conf. There are some options to e.g. put logging into a separate file.

edit flag offensive delete link more

Comments

My logs go to /var/log/audit/audit.log but dmesg still has 35 audit messages. I did not find an option to disable dmesg logging and use only the provided log file.

bob gravatar imagebob ( 2017-05-10 10:32:42 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-04-30 18:36:22 -0500

Seen: 3,561 times

Last updated: May 17 '16