[Bug 860778] New: audit messages in kernel and system logs
https://bugzilla.novell.com/show_bug.cgi?id=860778 https://bugzilla.novell.com/show_bug.cgi?id=860778#c0 Summary: audit messages in kernel and system logs Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Minor Priority: P5 - None Component: Basesystem AssignedTo: tonyj@suse.com ReportedBy: jdelvare@suse.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Since 2013-12-10, I see audit messages in my logs that look like: [ 5733.805799] type=1006 audit(1390896901.578:44): pid=3150 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=9 res=1 [ 6634.324050] type=1006 audit(1390897801.618:45): pid=3327 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=10 res=1 [ 7534.843993] type=1006 audit(1390898701.659:46): pid=3382 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=11 res=1 [ 8435.362572] type=1006 audit(1390899601.699:47): pid=3443 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=12 res=1 [ 9335.880581] type=1006 audit(1390900501.737:48): pid=3487 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=13 res=1 [10236.398556] type=1006 audit(1390901401.777:49): pid=3614 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=14 res=1 This started with kernel 3.13.0-rc3. With kernel 3.12.x I did not have these messages. These are quite cryptic and I have no idea what I'm supposed to do about these. By the time I check, the PID is already gone, so I have no idea what process is triggering these. They look like debug messages to me but I may be wrong. How can I get audit to stop spamming my logs like that? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c1
--- Comment #1 from Tony Jones
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c
Tony Jones
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c2
--- Comment #2 from Jean Delvare
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c3
--- Comment #3 from Tony Jones
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c4
Jean Delvare
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c5
Rainer Klier
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c6
--- Comment #6 from Tony Jones
this bug also hits me. i am on opensuse 13.1 x86_64 with kernel 3.13.2 from stable-standard repo
I need to see what the default was in sysvinit, as to whether audit was enabled automatically. It isn't at present in systemd. Once enabled the issue will go away. I imagine this needs to be fixed and enabled automatically. immediately post install: # systemctl status auditd auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled) Active: inactive (dead) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c7
--- Comment #7 from Rainer Klier
(In reply to comment #5)
this bug also hits me. i am on opensuse 13.1 x86_64 with kernel 3.13.2 from stable-standard repo
I need to see what the default was in sysvinit, as to whether audit was enabled automatically. It isn't at present in systemd. Once enabled the issue will
it was not enabled automatically. after i started it manually with "systemctl restart auditd" the messages went away. after this i enabled auditd as default in yast, and today i also don't see these messages any more.
go away. I imagine this needs to be fixed and enabled automatically.
yes. i think this is the real bug here. it was not enabled automatically. FYI: i did not freshly install my opensuse 13.1, but i made an upgrade from 12.3. but what for is this auditd? what is it's purpose? what for do i need it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c8
Felix Miata
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c9
--- Comment #9 from Tony Jones
https://bugzilla.novell.com/show_bug.cgi?id=860778
https://bugzilla.novell.com/show_bug.cgi?id=860778#c
Felix Miata
http://bugzilla.novell.com/show_bug.cgi?id=860778
--- Comment #34 from Tony Jones
I haven't had quiet in any bootloader stanza for any distro since sometime last century. I find little to no activity on vtty1 during init to be highly annoying. Not having quiet on cmdline has never been a problem before that I can remember.
All my systems have been the result of a constant 'zypper dup'. I just went and installed from scratch the latest Factory (http://download.opensuse.org/factory/iso/openSUSE-Tumbleweed-DVD-x86_64-Curr...). I chose the default GUI which is KDE and then default for every option. The resulting system has a /proc/cmdline containing 'quiet' and 'cat /proc/sys/kernel/printk' reports 4 4 1 7. audit rpm installed, auditd.service enabled and running. No rsyslog installed. I repeated the install selecting GNOME and then all defaults. Same as above. I repeated the install selecting "other" "Minimal Server Selection (text mode)". Quiet present on command line, thus default loglevel is 4. No audit rpm installed, thus no auditd.service. In all cases the default loglevel was 4, so the issue you are describing does not occur.
If this is correct, as root, add "quiet" (or "loglevel=4") to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub and run grub2-mkconfig > /boot/grub2/grub.cfg [or yast equivalent] and reboot.
Grub2 is not installed in any rpm-based distro here. Most installations here are booting from a Grub Legacy installation on a primary partition that is never mounted as /boot.
Then you need to change '/boot/grub/menu.lst' I'm not seeing the issue here, other than you've managed to configure you system in a way that causes audit events to be logged to the console. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com