Re: How to disable kaudit???

jd1008 <jd1008@xxxxxxxxx> · Tue, 13 Oct 2015 12:43:35 -0600

On 10/13/2015 12:33 PM, jd1008 wrote:

On 09/28/2015 07:55 PM, Ed Greshko wrote:
dnf erase audit
After running dnf erase audit (several days ago),
I am still getting tons of audit messages.
So, I thought that perhaps the command had not succeeded. I reran:
# dnf erase audit
No match for argument: audit
Error: No packages marked for removal.

Here is a small sample of audit messages:

[ 5325.515636] audit: type=1103 audit(1444760702.331:519): pid=23219 
uid=0 auid=4294967295 ses=4294967295 
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred 
grantors=pam_env,pam_unix acct="pcp" exe="/usr/sbin/crond" hostname=? 
addr=? terminal=cron res=success'
[ 5325.517632] audit: type=1006 audit(1444760702.333:520): pid=23219 
uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
old-auid=4294967295 auid=982 old-ses=4294967295 ses=7 res=1
[ 5325.598820] audit: type=1101 audit(1444760702.415:521): pid=23222 
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="pcp" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 5325.601527] audit: type=1105 audit(1444760702.417:522): pid=23222 
uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='op=PAM:session_open 
grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="pcp" 
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 5325.710879] audit: type=1130 audit(1444760702.527:523): pid=1 uid=0 
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 
msg='unit=user@982 comm="systemd" exe="/usr/lib/systemd/systemd" 
hostname=? addr=? terminal=? res=success'
[ 5325.713158] audit: type=1105 audit(1444760702.529:524): pid=23219 
uid=0 auid=982 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_open 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="pcp" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
[ 5325.713964] audit: type=1110 audit(1444760702.530:525): pid=23219 
uid=0 auid=982 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="pcp" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
[ 5326.295285] audit: type=1104 audit(1444760703.111:526): pid=23219 
uid=0 auid=982 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:setcred grantors=pam_env,pam_unix acct="pcp" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
[ 5326.300074] audit: type=1106 audit(1444760703.116:527): pid=23219 
uid=0 auid=982 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 
msg='op=PAM:session_close 
grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="pcp" 
exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

I wonder if /etc/auditlibs.conf  (which on the face of it at least) seem 
to be
related to system audit : I tried to remove it (it is installed by erase 
audit-libs-2.4.4-1.fc22.x86_64):
# dnf erase audit-libs-2.4.4-1.fc22.x86_64
Dependencies resolved.
Error: The operation would result in removing the following protected 
packages: systemd, dnf.

So, why in tarnation are dnf and systemd dependent on the audit???
Is this not also a totally unnecessary intrusion??

If fedora wants to log and monitor all user's activities, why not make 
all such
packages dependent on each other so we cannot remove any of them -
which would quickly result in all savvy people to abandon fedora and 
similarly
minded distros altogether.

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org