Comment # 2 on bug 944125 from 
Here are the audit messages coming from kernel:

Sep 03 09:21:23 g123 opera[27322]: <audit-1326> auid=1000 uid=1000 gid=100
ses=2 pid=27322 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0
arch=c000003e syscall=2 compat=0 ip=0x7ff3d07ef11f code=0x5
0000
Sep 03 09:21:23 g123 kernel: audit: type=1326 audit(1441264883.110:5311):
auid=1000 uid=1000 gid=100 ses=2 pid=27322 comm="opera"
exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0 arch=c000003e syscall=2
compat=0 
ip=0x7ff3d07ef11f code=0x50000
Sep 03 09:21:23 g123 opera[27322]: <audit-1326> auid=1000 uid=1000 gid=100
ses=2 pid=27322 comm="opera" exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0
arch=c000003e syscall=2 compat=0 ip=0x7ff3d07ef11f code=0x5
0000
Sep 03 09:21:23 g123 kernel: audit: type=1326 audit(1441264883.172:5312):
auid=1000 uid=1000 gid=100 ses=2 pid=27322 comm="opera"
exe="/usr/lib/x86_64-linux-gnu/opera/opera" sig=0 arch=c000003e syscall=2
compat=0 
ip=0x7ff3d07ef11f code=0x50000

I have not spotted any audit message coming from ssh logins lately, I'll put
them here when they appear.

Interesting find:
I have a systemd unit that runs a script as root, shortly after system boot.
The script runs among other things:
auditctl -e 0
auditd -s disable

It appears that, if I open Opera before the systemd unit triggers, then close
and restart Opera after the unit finishes its work, the kernel audit messages
always resume. In the meanwhile, auditing is not enabled as reported by
auditctl.

Then if I close Opera and run the two commands again, kernel audit messages no
longer appear for Opera.

You are receiving this mail because: