Ask Your Question
2

audit messages flooding dmesg output

asked 2016-04-30 18:36:22 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am running Fedora 23 x64 Workstation edition on my ASUS TP300LA notebook. Seeing lots of audit messages on the dmesg output (see below).

To my inexperienced eyes, it looks like what I am seeing here is similar to the bug reported (Bug 1227379 - Audit events on /var/log/messages) reported on Fedora 22. Is that correct?

[11447.564304] audit: type=1130 audit(1462055704.308:634): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[11447.564324] audit: type=1131 audit(1462055704.308:635): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[12569.938586] audit: type=1105 audit(1462056826.601:636): pid=29271 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
[12633.315688] audit: type=1105 audit(1462056889.974:637): pid=29602 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
[12943.594406] audit: type=1325 audit(1462057200.232:639): table=filter family=2 entries=0
[12943.594850] audit: type=1325 audit(1462057200.232:640): table=nat family=2 entries=0
[12943.594870] audit: type=1325 audit(1462057200.232:641): table=mangle family=2 entries=0
[12943.594882] audit: type=1325 audit(1462057200.232:642): table=raw family=2 entries=0
[12943.594896] audit: type=1325 audit(1462057200.232:643): table=security family=2 entries=0
[12943.594916] audit: type=1325 audit(1462057200.232:644): table=filter family=10 entries=0
[12943.594938] audit: type=1325 audit(1462057200.232:645): table=nat family=10 entries=0
[12943.594955] audit: type=1325 audit(1462057200.232:646): table=mangle family=10 entries=0
[12943.594965] audit: type=1325 audit(1462057200.232:647): table=raw family=10 entries=0

I tried the second option suggested in Comment 65

If you want to keep auditing enabled, but disable its logging by journald, you can use

systemctl mask systemd-journald-audit.socket

and restart journald.

but there was no effect on my system. I am still seeing these audit messages.

I don't have an /etc/rsyslog.conf file on my system.

How do I get to stop these audit messages flooding my system? Please can someone guide me through this?

edit retag flag offensive close merge delete
add a comment

3 Answers

Sort by ยป oldest newest most voted
0

answered 2016-05-01 07:54:22 -0500

thomaswood gravatar image

On my Fedora 22 System the audit also spammed my logfile. I was able to get rid of it by adding audit=0 as a kernel option to grub. Best is to add it to /etc/default/grub and append it in the GRUB_CMDLINE_LINUX= section.

edit flag offensive delete link more

Comments

Thanks for your input @thomaswood.

For now, I have used this option to disable audit completely but I don't know if turning off audit completely i such a good idea - i.e. added audit=0 to GRUB_CMDLINE_LINUX= and executed sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfgConfiguring the GRUB bootloader

Option 2 or 3 in Comment 65 seem like the more reasonable thing to do. I am hoping someone can give guidance on how to do that.

JetStream gravatar imageJetStream ( 2016-05-01 12:27:56 -0500 )edit
1

Please don't turn off audit, it is a useful security feature intended to prevent attacks to your computer.

genodeftest gravatar imagegenodeftest ( 2016-05-02 03:40:36 -0500 )edit

The Linux Auditing System just records violations that are configured. If you do not make use of those records/logs, it makes no sense to keep them. It does not add extra security, it just enables you or the admin to recognize violations so one could react.

thomaswood gravatar imagethomaswood ( 2016-05-02 04:51:51 -0500 )edit
add a comment
0

answered 2016-05-08 00:34:05 -0500

AM gravatar image

It doesn't completely get rid of the problem, but I use "auditctl -e 0"

edit flag offensive delete link more

Comments

I was researching this a bit. If you haven't already, it is worth checking once again this has stopped the spamming - see Bug 1227379 Comment 15 and the 2 subsequent comments

JetStream gravatar imageJetStream ( 2016-05-17 02:53:48 -0500 )edit
add a comment
0

answered 2016-05-02 03:42:08 -0500

genodeftest gravatar image

If you really don't want audit logging in syslog, have a look at man 5 auditd.conf. There are some options to e.g. put logging into a separate file.

edit flag offensive delete link more

Comments

My logs go to /var/log/audit/audit.log but dmesg still has 35 audit messages. I did not find an option to disable dmesg logging and use only the provided log file.

bob gravatar imagebob ( 2017-05-10 10:32:42 -0500 )edit
add a comment

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2016-04-30 18:36:22 -0500

Seen: 6,441 times

Last updated: May 17 '16

Related questions

How to run Virtual Box?

active fastestmirror in dnf

could not be reserved

Change Folder Colour

kmod-VirtualBox conflict

Just upgraded to Fedora 23 and wifi won't work

Fedora 23 Super Key on keyboard registering as Ctrl_L

WiFi keeps dropping

Unable to access external HDD on Virtualbox running win7 on host fedora 23-

Dual boot fedora with Windows 10, automatic configure partitioning showing not enough space available to install fedora

Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2