Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 161533 - audit whines on a console
audit whines on a console
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Woodhouse
Depends On:
  Show dependency treegraph
Reported: 2005-06-23 20:40 EDT by Michal Jaegermann
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-07 06:17:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2005-06-23 20:40:38 EDT
Description of problem:

Every login on a console produces a series of messages like that:

audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM
authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM
accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session
open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)'
audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred:
user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)

As you can see the thingy is really repeatable without adding a shred
of a new information.

Also starting gdm results in the following dumped to a console:

audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM
bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=?
result=User not known to the underlying authentication module)'

On the top of it audit floods /var/log/messages with so much junk that
this logs becomes totally unusable.

I thought that this were results of recent problems with audit system
but after an update to the current ones does not clear the problem.

Version-Release number of selected component (if applicable):
(audit-libs-0.9.11-1 are installed as some update pulled that in,
unfortunately, but audit-0.9.11-1 package itself is not as nothing
was requesting it).

How reproducible:
All the time.
Comment 1 Steve Grubb 2005-06-24 15:35:23 EDT
This is a kernel problem. We are looking at solutions. 

In the meantime, you can try the following workaround. Install the audit package
and configure /etc/auditd.conf to have:

num_logs = 2
max_log_file = 1

This will occupy 2mb of disk space and remove the messages from the console.
Comment 2 Michal Jaegermann 2005-06-25 12:27:23 EDT
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed
looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log
and so far it looks that only there.

But 'service auditd start' ellicited the following error notification:

Error receiving watch list (Unknown error 18446744073709551594)
There was an error in line 5 of /etc/audit.rules

and /etc/audit.rules is as packaged.  It appears that somebody plays
fast and loose with signed and unsigned quantities.
Comment 3 Steve Grubb 2005-06-25 14:34:47 EDT
The message that you are seeing is due to functionality mismatch. There will be
a kernel released sometime in the future that will have the file system auditing
patched in. The same message was reported in bugzilla #161322.

Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit
0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The
above error message wasn't specifically fixed, but may not be present in the
current rawhide.
Comment 4 Michal Jaegermann 2005-06-26 02:40:11 EDT
> Out of curiosity, which arch are you using? x86_64?

Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to
show up on 32-bits. :-)  This is -22 if you will make that signed,
Comment 5 Steve Grubb 2005-07-01 07:25:09 EDT
Reassigning bug. This problem is solved in the audit test kernels. The patches
just need to go into the distributed kernels.
Comment 6 David Woodhouse 2005-09-07 06:17:03 EDT
The latest kernels will filter out the audit messages, even though userspace
really shouldn't be generating them unless specifically configured to do so.
Comment 7 dee 2006-03-29 06:25:14 EST
I am having the same problem and its months later and just wanted to know if the
patch was ever released... I am using Fedora Core 4... If it was released could
you give me details of where to get it and how to install it plz...

Nice one for coming up with a solution...


Note You need to log in before you can comment on or make changes to this bug.