Red Hat Bugzilla – Bug 161533
audit whines on a console
Last modified: 2007-11-30 17:11:08 EST
Description of problem:
Every login on a console produces a series of messages like that:
audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM
authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM
accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session
open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)'
audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred:
user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)
As you can see the thingy is really repeatable without adding a shred
of a new information.
Also starting gdm results in the following dumped to a console:
audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM
bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=?
result=User not known to the underlying authentication module)'
On the top of it audit floods /var/log/messages with so much junk that
this logs becomes totally unusable.
I thought that this were results of recent problems with audit system
but after an update to the current ones does not clear the problem.
Version-Release number of selected component (if applicable):
(audit-libs-0.9.11-1 are installed as some update pulled that in,
unfortunately, but audit-0.9.11-1 package itself is not as nothing
was requesting it).
All the time.
This is a kernel problem. We are looking at solutions.
In the meantime, you can try the following workaround. Install the audit package
and configure /etc/auditd.conf to have:
num_logs = 2
max_log_file = 1
This will occupy 2mb of disk space and remove the messages from the console.
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed
looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log
and so far it looks that only there.
But 'service auditd start' ellicited the following error notification:
Error receiving watch list (Unknown error 18446744073709551594)
There was an error in line 5 of /etc/audit.rules
and /etc/audit.rules is as packaged. It appears that somebody plays
fast and loose with signed and unsigned quantities.
The message that you are seeing is due to functionality mismatch. There will be
a kernel released sometime in the future that will have the file system auditing
patched in. The same message was reported in bugzilla #161322.
Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit
0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The
above error message wasn't specifically fixed, but may not be present in the
> Out of curiosity, which arch are you using? x86_64?
Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to
show up on 32-bits. :-) This is -22 if you will make that signed,
Reassigning bug. This problem is solved in the audit test kernels. The patches
just need to go into the distributed kernels.
The latest kernels will filter out the audit messages, even though userspace
really shouldn't be generating them unless specifically configured to do so.
I am having the same problem and its months later and just wanted to know if the
patch was ever released... I am using Fedora Core 4... If it was released could
you give me details of where to get it and how to install it plz...
Nice one for coming up with a solution...