• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Auditd Messages Are Filling Up /var/log/messages

by admin

The Problem

On the server audit messages are filling-up /var/log/messages file with debug information:

type=1101 audit(1431535584.561:3): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: accounting acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1105 audit(1431535584.634:4): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: session open acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1103 audit(1431535584.646:5): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: setcred acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1104 audit(1431535585.091:6): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: setcred acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1106 audit(1431535585.099:7): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: session close acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'

The Solution

Auditd is kernel auditing tool as a part of SElinux package. If auditd is enabled on the server it will put debug messages into /var/log/messages file. Auditd should put debug messages inside /var/log/audit.log but in some cases it will also send those messages to /var/log/messages. Follow the steps outlined below to stop auditd messages being logged into /var/log/messages.

1. Verify /etc/grub.conf kernel boot parameters:

title Oracle Linux Server Unbreakable Enterprise Kernel (3.8.13-16.2.1.el6uek.x86_64)
root (hd0,0)
kernel /vmlinuz-3.8.13-16.2.1.el6uek.x86_64 ro root=/dev/mapper/vg_lnxovmsan2076-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg_lnxovmsan2076/lv_root rd_LVM_LV=vg_lnxovmsan2076/lv_swap rd_NO_DM rhgb quiet audit=1
initrd /initramfs-3.8.13-16.2.1.el6uek.x86_64.img

2. At the end of kernel boot params ‘audit=1‘ was added, remove this option from boot parameters and save the file changes.

3. If auditd is not needed on the Server please stop auditd service and disable it at boot stage:

# service auditd status
auditd (pid 3643) is running..
# service auditd stop
# chkconfig auditd off

4. Another option to stop auditd filling up messages file is to edit /etc/audit/audit.rules and change line:

# First rule - delete all
-D

change that to

# First rule - delete all
-e 0

5. Save the file and restart auditd service

# service auditd restart

This should stop auditd debug messages hitting /var/log/messages.

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. locate Command Examples in Linux
  2. RDEPENDS V/s DEPENDS in Yocto
  3. How to mount and umount a file system in Linux
  4. What is umask in UNIX/Linux
  5. mpstat Command Examples in Linux
  6. cp: omitting directory – error while copying a directory in Linux
  7. Linux OS Service ‘winbind’
  8. Linux OS Service ‘nfslock’
  9. CentOS / RHEL 7 : Enable NTP to start at boot after fresh install (disable chrony)
  10. How to Force ASM to Scan the Multipathed Device First using ASMLIB/oracleasm

You May Also Like

Primary Sidebar

Recent Posts

  • What are /dev/zero and /dev/null files in Linux
  • grpck command – Remove corrupt or duplicate entries in the /etc/group and /etc/gshadow files.
  • xxd command – Expressed in hexadecimal form
  • sesearch: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright