Bug 1349691
Summary: | [Bug][RHEL7] audit logs are appearing in "/var/log/dmesg" | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Muhammad Azhar Shaikh <mdshaikh> |
Component: | audit | Assignee: | Steve Grubb <sgrubb> |
Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | CC: | omoris, pportant, sgrubb, systemd-maint-list |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | audit-2.6.1-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-04 06:13:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Muhammad Azhar Shaikh
2016-06-24 02:11:53 UTC
That fedora bug was about journal reading the kernel message directly. We don't do that in rhel https://github.com/lnykryn/systemd-rhel/commit/5dee07f71ccaf8eacd115e01e665c645f7c3a75d These are just normal log messages from audit daemon. >> These are just normal log messages from audit daemon.
Why are these messages going to "var/log/dmesg"?
Do we have any workaround or mitigation steps to stop logging of normal log messages from audit daemon into "/var/log/dmesg"?
No, we need to store logs somewhere during the boot and disk might not be available at that point of time (for example in initrd). So we store those messages in kmsg. I think we have an explained condition. [ 2.847801] type=1305 audit(1466732821.470:4): audit_pid=620 old=0 This is caused by audit being active and no audit daemon running. The event is t he audit daemon registering itself with the kernel. # service auditd stop Stopping logging: [ OK ] This leaves the audit rules enabled unless configured properly. To disable the audit rules on exit, copy the auditd.service file to the right plan in /etc and uncomment: #ExecStopPost=/sbin/auditctl -D That will delete audit rules when it shuts down. audit-2.6.1-1.el7 should address this problem. The new package contains audit-stop.rules file which contains rules to disable the audit subsystem and delete all rules. This should put an end to any events except AVC's and seccomp violations. It will not be enabled by default, but it can easily be configured by copying it to /etc/systemd/system and uncommenting the ExecStopPost line. Successfully verified with audit-2.6.5-3.el7. # rpm -q audit audit-2.6.5-3.el7.x86_64 # grep ExecStopPost /usr/lib/systemd/system/auditd.service #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules # auditctl -w /etc/test/ -p rwxa -k test # auditctl -l -w /etc/test -p rwxa -k test # service auditd stop Stopping logging: [ OK ] # auditctl -l -w /etc/test -p rwxa -k test # emacs /usr/lib/systemd/system/auditd.service ... # grep ExecStopPost /usr/lib/systemd/system/auditd.service ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules # systemctl daemon-reload # service auditd start Redirecting to /bin/systemctl start auditd.service # auditctl -l -w /etc/test -p rwxa -k test # service auditd stop Stopping logging: [ OK ] # auditctl -l No rules Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2418.html |