Ask Your Question
2

audit messages flooding dmesg output

asked 2016-04-30 18:36:22 -0600

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am running Fedora 23 x64 Workstation edition on my ASUS TP300LA notebook. Seeing lots of audit messages on the dmesg output (see below).

To my inexperienced eyes, it looks like what I am seeing here is similar to the bug reported (Bug 1227379 - Audit events on /var/log/messages) reported on Fedora 22. Is that correct?

[11447.564304] audit: type=1130 audit(1462055704.308:634): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[11447.564324] audit: type=1131 audit(1462055704.308:635): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[12569.938586] audit: type=1105 audit(1462056826.601:636): pid=29271 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
[12633.315688] audit: type=1105 audit(1462056889.974:637): pid=29602 uid=1000 auid=1000 ses=1 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
[12943.594406] audit: type=1325 audit(1462057200.232:639): table=filter family=2 entries=0
[12943.594850] audit: type=1325 audit(1462057200.232:640): table=nat family=2 entries=0
[12943.594870] audit: type=1325 audit(1462057200.232:641): table=mangle family=2 entries=0
[12943.594882] audit: type=1325 audit(1462057200.232:642): table=raw family=2 entries=0
[12943.594896] audit: type=1325 audit(1462057200.232:643): table=security family=2 entries=0
[12943.594916] audit: type=1325 audit(1462057200.232:644): table=filter family=10 entries=0
[12943.594938] audit: type=1325 audit(1462057200.232:645): table=nat family=10 entries=0
[12943.594955] audit: type=1325 audit(1462057200.232:646): table=mangle family=10 entries=0
[12943.594965] audit: type=1325 audit(1462057200.232:647): table=raw family=10 entries=0

I tried the second option suggested in Comment 65

If you want to keep auditing enabled, but disable its logging by journald, you can use

systemctl mask systemd-journald-audit.socket

and restart journald.

but there was no effect on my system. I am still seeing these audit messages.

I don't have an /etc/rsyslog.conf file on my system.

How do I get to stop these audit messages flooding my system? Please can someone guide me through this?

edit retag flag offensive close merge delete
add a comment

3 Answers

Sort by ยป oldest newest most voted
0

answered 2016-05-01 07:54:22 -0600

thomaswood gravatar image

On my Fedora 22 System the audit also spammed my logfile. I was able to get rid of it by adding audit=0 as a kernel option to grub. Best is to add it to /etc/default/grub and append it in the GRUB_CMDLINE_LINUX= section.

edit flag offensive delete link more

Comments

Thanks for your input @thomaswood.

For now, I have used this option to disable audit completely but I don't know if turning off audit completely i such a good idea - i.e. added audit=0 to GRUB_CMDLINE_LINUX= and executed sudo grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfgConfiguring the GRUB bootloader

Option 2 or 3 in Comment 65 seem like the more reasonable thing to do. I am hoping someone can give guidance on how to do that.

JetStream gravatar imageJetStream ( 2016-05-01 12:27:56 -0600 )edit
1

Please don't turn off audit, it is a useful security feature intended to prevent attacks to your computer.

genodeftest gravatar imagegenodeftest ( 2016-05-02 03:40:36 -0600 )edit

The Linux Auditing System just records violations that are configured. If you do not make use of those records/logs, it makes no sense to keep them. It does not add extra security, it just enables you or the admin to recognize violations so one could react.

thomaswood gravatar imagethomaswood ( 2016-05-02 04:51:51 -0600 )edit
add a comment
0

answered 2016-05-08 00:34:05 -0600

AM gravatar image

It doesn't completely get rid of the problem, but I use "auditctl -e 0"

edit flag offensive delete link more

Comments

I was researching this a bit. If you haven't already, it is worth checking once again this has stopped the spamming - see Bug 1227379 Comment 15 and the 2 subsequent comments

JetStream gravatar imageJetStream ( 2016-05-17 02:53:48 -0600 )edit
add a comment
0

answered 2016-05-02 03:42:08 -0600

genodeftest gravatar image

If you really don't want audit logging in syslog, have a look at man 5 auditd.conf. There are some options to e.g. put logging into a separate file.

edit flag offensive delete link more

Comments

My logs go to /var/log/audit/audit.log but dmesg still has 35 audit messages. I did not find an option to disable dmesg logging and use only the provided log file.

bob gravatar imagebob ( 2017-05-10 10:32:42 -0600 )edit
add a comment

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2016-04-30 18:36:22 -0600

Seen: 6,307 times

Last updated: May 17 '16

Related questions

Samba fedora 23 server

WiFi keeps dropping

Is it possible to get DNF to install packages listed in a text file?

Fedora 23 Won't connect to wifi

How to check Fedora 23 consistency after upgrade?

Fedora 23 Enterprise WiFi network connection issue

Does Hotspot option support only wep security?

how i can upgrade fedora 22 to fedora 23???

After fresh install of Fedora 23(KDE spin) mouse registers no clicking.

HP 250 G1 laptop hardware problem

Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2