The Geek Diary

Auditd Messages Are Filling Up /var/log/messages

by

The Problem

On the server audit messages are filling-up /var/log/messages file with debug information:

type=1101 audit(1431535584.561:3): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: accounting acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1105 audit(1431535584.634:4): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: session open acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1103 audit(1431535584.646:5): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: setcred acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1104 audit(1431535585.091:6): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: setcred acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'
type=1106 audit(1431535585.099:7): user pid=2428 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='PAM: session close acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=console res=success)'

The Solution

Auditd is kernel auditing tool as a part of SElinux package. If auditd is enabled on the server it will put debug messages into /var/log/messages file. Auditd should put debug messages inside /var/log/audit.log but in some cases it will also send those messages to /var/log/messages. Follow the steps outlined below to stop auditd messages being logged into /var/log/messages.

1. Verify /etc/grub.conf kernel boot parameters:

title Oracle Linux Server Unbreakable Enterprise Kernel (3.8.13-16.2.1.el6uek.x86_64)
root (hd0,0)
kernel /vmlinuz-3.8.13-16.2.1.el6uek.x86_64 ro root=/dev/mapper/vg_lnxovmsan2076-lv_root rd_NO_LUKS KEYBOARDTYPE=pc KEYTABLE=uk LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 rd_LVM_LV=vg_lnxovmsan2076/lv_root rd_LVM_LV=vg_lnxovmsan2076/lv_swap rd_NO_DM rhgb quiet audit=1
initrd /initramfs-3.8.13-16.2.1.el6uek.x86_64.img

2. At the end of kernel boot params ‘audit=1‘ was added, remove this option from boot parameters and save the file changes.

3. If auditd is not needed on the Server please stop auditd service and disable it at boot stage:

# service auditd status
auditd (pid 3643) is running..
# service auditd stop
# chkconfig auditd off

4. Another option to stop auditd filling up messages file is to edit /etc/audit/audit.rules and change line:

# First rule - delete all
-D

change that to

# First rule - delete all
-e 0

5. Save the file and restart auditd service

# service auditd restart

This should stop auditd debug messages hitting /var/log/messages.

You May Also Like