On Tue, 2016-09-27 at 09:09 +0200, Jakub Jelen wrote: > On 09/27/2016 02:22 AM, Alex wrote: > > > > Hi, > > > > On Mon, Sep 26, 2016 at 2:53 PM, Patrick O'Callaghan > > <pocallaghan@xxxxxxxxx> wrote: > > > > > > On Mon, 2016-09-26 at 14:46 -0400, Alex wrote: > > > > > > > > Hi all, > > > > > > > > I recall seeing an rsyslog entry to prevent these messages from > > > > filling my messages logs, but it no longer appears to work with f24. > > > > Is there a more specific method to disable audit messages? > > > > > > > > Sep 26 14:40:56 alex kernel: audit: type=2404 > > > > audit(1474915256.442:724): pid=3297 uid=0 auid=4294967295 > > > > ses=4294967295 msg='op=destroy kind=server > > > > fp=SHA256:c3:77:02:0b:2c:82:43:05:c5:50:ff:e6:99:f1:3f:1a:1d:6a:51:b7:a4:cb:45:55:37:66:95:46:51:9b:80:d2 > > > > direction=? spid=3297 suid=0 exe="/usr/sbin/sshd" hostname=? > > > > addr=107.155.77.2 terminal=? res=success' > > > > > > > > I'm not using selinux, and have enabled rsyslog. They're just not helpful to me. > > > Edit /etc/default/grub. Look for the line beginning GRUB_CMDLINE_LINUX. > > > Add "audit=0" to the end of that line. Run: > > > > > > grub2-mkconfig --output /boot/grub2/grub.cfg > > > > > > Audit will be turned off when you reboot. To turn it off without > > > rebooting, do: > > > > > > auditctl -e 0 > > Thanks very much, very helpful. What is the reason this is enabled by > > default? Don't other people find it obnoxious and unhelpful? > > > > How does this information help the average sysadmin? > Audit is not just a log. For that reason, it is not dumped to the same > files (/var/log/secure, /var/log/messages) as other logs, but into > separate file (/var/log/audit/audit.log), when you have auditd running > (if you stop that, it is dumped into the messages, which might be > confusing). > > It keeps track of actions that were performed somewhere on lower level > than "average sysadmin" might need. In first place, they are needed for > the certifications in some environments. In second place, it is helpful > when you seek for more specific actions that were performed in the past. I don't think anyone is against the idea of auditing per se. The problem with the implementation is that a) audit lines overwhelm everything else in the journal, and b) they are very hard to interpret without a *lot* of background reading, i.e. they are genuinely useless for most people other than professional sysadmins. Having them on by default just means a huge waste of space and a good deal of frustration. poc _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
