Bug 1449831
Summary: | audit has begun spamming virtual consoles with messages relating to logins | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David H. Gutteridge <dhgutteridge> |
Component: | audit | Assignee: | Steve Grubb <sgrubb> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 25 | CC: | sgrubb |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-16 13:53:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David H. Gutteridge
2017-05-10 20:17:32 UTC
I have no idea how this is happening. Audit events are read from the kernel into auditd and it writes them to disk. It never writes to consoles. Actually, auditd writes to stderr if its launched with the '-f' command line option. My environments are mostly stock Fedora 25 in terms of configuration. auditd isn't launched with the -f command line option (unless ps is lying to me). My auditd service file is: $ more auditd.service [Unit] Description=Security Auditing Service DefaultDependencies=no ## If auditd.conf has tcp_listen_port enabled, copy this file to ## /etc/systemd/system/auditd.service and add network-online.target ## to the next line so it waits for the network to start before launching. After=local-fs.target systemd-tmpfiles-setup.service Conflicts=shutdown.target Before=sysinit.target shutdown.target RefuseManualStop=yes ConditionKernelCommandLine=!audit=0 Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation [Service] Type=forking PIDFile=/var/run/auditd.pid ExecStart=/sbin/auditd ## To not use augenrules, copy this file to /etc/systemd/system/auditd.service ## and comment/delete the next line and uncomment the auditctl line. ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ExecStartPost=-/sbin/augenrules --load #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ExecReload=/bin/kill -HUP $MAINPID # By default we don't clear the rules on exit. To enable this, uncomment # the next line after copying the file to /etc/systemd/system/auditd.service #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules [Install] WantedBy=multi-user.target What happens if you stop journald or rsyslog? Auditd doesn't write to anything but the disk. I rebooted before experimenting with stopping journald, and whatever was going on ended after the reboot. I can't duplicate this anymore. I have no idea why it was happening and then stopped (at least for now), since I haven't made any configuration changes of late, and the package updates applied recently all seem to be completely unrelated. Looking back two boots ago, I can see it wasn't happening then, either, so it was specific to one time, it seems: Kernel 4.10.14, up for a few days: $ journalctl -k -b -2 | grep audit | wc 55 1034 14428 Kernel 4.10.15, up for a couple of days: $ journalctl -k -b -1 | grep audit | wc 668 12179 182114 Kernel 4.10.15, up since this morning (with a bunch of logins, as per usual): $ journalctl -k | grep audit | wc 42 797 11077 This can be closed if need be, and I'll reopen if I experience this again. Thanks for your quick response! OK. Thanks for checking on this. I will close it as the code that writes to the logging file hasn't changed much in a year. I'd almost bet it was journald related since it spams syslog with audit events. |