Bug 161533 - audit whines on a console
Summary: audit whines on a console
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Woodhouse
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-24 00:40 UTC by Michal Jaegermann
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-09-07 10:17:03 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Michal Jaegermann 2005-06-24 00:40:38 UTC
Description of problem:

Every login on a console produces a series of messages like that:

audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM
authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM
accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session
open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)'
audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred:
user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)

As you can see the thingy is really repeatable without adding a shred
of a new information.

Also starting gdm results in the following dumped to a console:

audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM
bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=?
result=User not known to the underlying authentication module)'

On the top of it audit floods /var/log/messages with so much junk that
this logs becomes totally unusable.

I thought that this were results of recent problems with audit system
but after an update to the current ones does not clear the problem.

Version-Release number of selected component (if applicable):
audit-0.9.11-1
(audit-libs-0.9.11-1 are installed as some update pulled that in,
unfortunately, but audit-0.9.11-1 package itself is not as nothing
was requesting it).

How reproducible:
All the time.

Comment 1 Steve Grubb 2005-06-24 19:35:23 UTC
This is a kernel problem. We are looking at solutions. 

In the meantime, you can try the following workaround. Install the audit package
and configure /etc/auditd.conf to have:

num_logs = 2
max_log_file = 1

This will occupy 2mb of disk space and remove the messages from the console.

Comment 2 Michal Jaegermann 2005-06-25 16:27:23 UTC
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed
looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log
and so far it looks that only there.

But 'service auditd start' ellicited the following error notification:

Error receiving watch list (Unknown error 18446744073709551594)
There was an error in line 5 of /etc/audit.rules

and /etc/audit.rules is as packaged.  It appears that somebody plays
fast and loose with signed and unsigned quantities.

Comment 3 Steve Grubb 2005-06-25 18:34:47 UTC
The message that you are seeing is due to functionality mismatch. There will be
a kernel released sometime in the future that will have the file system auditing
patched in. The same message was reported in bugzilla #161322.

Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit
0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The
above error message wasn't specifically fixed, but may not be present in the
current rawhide.

Comment 4 Michal Jaegermann 2005-06-26 06:40:11 UTC
> Out of curiosity, which arch are you using? x86_64?

Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to
show up on 32-bits. :-)  This is -22 if you will make that signed,
0xffffffffffffffea.

Comment 5 Steve Grubb 2005-07-01 11:25:09 UTC
Reassigning bug. This problem is solved in the audit test kernels. The patches
just need to go into the distributed kernels.

Comment 6 David Woodhouse 2005-09-07 10:17:03 UTC
The latest kernels will filter out the audit messages, even though userspace
really shouldn't be generating them unless specifically configured to do so.

Comment 7 dee 2006-03-29 11:25:14 UTC
I am having the same problem and its months later and just wanted to know if the
patch was ever released... I am using Fedora Core 4... If it was released could
you give me details of where to get it and how to install it plz...

Nice one for coming up with a solution...

Thanks


Note You need to log in before you can comment on or make changes to this bug.