Re: Annoying audit messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/27/2016 02:22 AM, Alex wrote:

Hi,

On Mon, Sep 26, 2016 at 2:53 PM, Patrick O'Callaghan
<pocallaghan@xxxxxxxxx> wrote:

On Mon, 2016-09-26 at 14:46 -0400, Alex wrote:

Hi all,

I recall seeing an rsyslog entry to prevent these messages from
filling my messages logs, but it no longer appears to work with f24.
Is there a more specific method to disable audit messages?

Sep 26 14:40:56 alex kernel: audit: type=2404
audit(1474915256.442:724): pid=3297 uid=0 auid=4294967295
ses=4294967295 msg='op=destroy kind=server
fp=SHA256:c3:77:02:0b:2c:82:43:05:c5:50:ff:e6:99:f1:3f:1a:1d:6a:51:b7:a4:cb:45:55:37:66:95:46:51:9b:80:d2
direction=? spid=3297 suid=0  exe="/usr/sbin/sshd" hostname=?
addr=107.155.77.2 terminal=? res=success'

I'm not using selinux, and have enabled rsyslog. They're just not helpful to me.

Edit /etc/default/grub. Look for the line beginning GRUB_CMDLINE_LINUX.
Add "audit=0" to the end of that line. Run:

grub2-mkconfig --output /boot/grub2/grub.cfg

Audit will be turned off when you reboot. To turn it off without
rebooting, do:

auditctl -e 0

Thanks very much, very helpful. What is the reason this is enabled by
default? Don't other people find it obnoxious and unhelpful?

How does this information help the average sysadmin?
Audit is not just a log. For that reason, it is not dumped to the same files (/var/log/secure, /var/log/messages) as other logs, but into separate file (/var/log/audit/audit.log), when you have auditd running (if you stop that, it is dumped into the messages, which might be confusing).
It keeps track of actions that were performed somewhere on lower level than "average sysadmin" might need. In first place, they are needed for the certifications in some environments. In second place, it is helpful when you seek for more specific actions that were performed in the past.
Your example shows an event, when the server private key was zeroed before exit or before changing to unprivileged process, who should not see the content of the private keys. 

Regards,

--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux