• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Auditd Messages Are Filling Up /var/log/messages

by admin

The Problem

On the server audit messages are filling-up /var/log/messages file with debug information:

type=1101 audit(1431535584.561:3): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: accounting acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1105 audit(1431535584.634:4): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: session open acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1103 audit(1431535584.646:5): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: setcred acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1104 audit(1431535585.091:6): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: setcred acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1106 audit(1431535585.099:7): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: session close acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'

The Solution

Auditd is kernel auditing tool as a part of SElinux package. If auditd is enabled on the server it will put debug messages into /var/log/messages file. Auditd should put debug messages inside /var/log/audit.log but in some cases it will also send those messages to /var/log/messages. Follow the steps outlined below to stop auditd messages being logged into /var/log/messages.

1. Verify /etc/grub.conf kernel boot parameters:

title Oracle Linux Server Unbreakable Enterprise Kernel (3.8.13-16.2.1.el6uek.x86_64)
root (hd0,0)
kernel /vmlinuz-3.8.13-16.2.1.el6uek.x86_64 ro root=/dev/mapper/vg_lnxovmsan2076-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg_lnxovmsan2076/lv_root rd_LVM_LV=vg_lnxovmsan2076/lv_swap rd_NO_DM rhgb quiet audit=1
initrd /initramfs-3.8.13-16.2.1.el6uek.x86_64.img

2. At the end of kernel boot params ‘audit=1‘ was added, remove this option from boot parameters and save the file changes.

3. If auditd is not needed on the Server please stop auditd service and disable it at boot stage:

# service auditd status
auditd (pid 3643) is running..
# service auditd stop
# chkconfig auditd off

4. Another option to stop auditd filling up messages file is to edit /etc/audit/audit.rules and change line:

# First rule - delete all
-D

change that to

# First rule - delete all
-e 0

5. Save the file and restart auditd service

# service auditd restart

This should stop auditd debug messages hitting /var/log/messages.

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. Beginners Guide to Swap Space Management in Linux
  2. how to add a custom script to the systemd in CentOS/RHEL 7
  3. Linux OS Service ‘irqbalance’
  4. “resize2fs: Permission denied to resize filesystem” error while online resize of a filesystem
  5. CentOS/RHEL – How to run a script or command when any user logout the ssh session
  6. What is ioremap()
  7. dunstify Command Examples in Linux
  8. snap Command Examples in Linux
  9. pacman –database Command Examples in Arch Linux
  10. sshpass Command: Non-interactive Password Authentication with SSH

You May Also Like

Primary Sidebar

Recent Posts

  • pw-cat Command Examples in Linux
  • pvs: command not found
  • pulseaudio: command not found
  • pulseaudio Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright