Red Hat Bugzilla – Bug 161533
audit whines on a console
Last modified: 2007-11-30 17:11:08 EST
Description of problem: Every login on a console produces a series of messages like that: audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success) As you can see the thingy is really repeatable without adding a shred of a new information. Also starting gdm results in the following dumped to a console: audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=? result=User not known to the underlying authentication module)' On the top of it audit floods /var/log/messages with so much junk that this logs becomes totally unusable. I thought that this were results of recent problems with audit system but after an update to the current ones does not clear the problem. Version-Release number of selected component (if applicable): audit-0.9.11-1 (audit-libs-0.9.11-1 are installed as some update pulled that in, unfortunately, but audit-0.9.11-1 package itself is not as nothing was requesting it). How reproducible: All the time.
This is a kernel problem. We are looking at solutions. In the meantime, you can try the following workaround. Install the audit package and configure /etc/auditd.conf to have: num_logs = 2 max_log_file = 1 This will occupy 2mb of disk space and remove the messages from the console.
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log and so far it looks that only there. But 'service auditd start' ellicited the following error notification: Error receiving watch list (Unknown error 18446744073709551594) There was an error in line 5 of /etc/audit.rules and /etc/audit.rules is as packaged. It appears that somebody plays fast and loose with signed and unsigned quantities.
The message that you are seeing is due to functionality mismatch. There will be a kernel released sometime in the future that will have the file system auditing patched in. The same message was reported in bugzilla #161322. Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit 0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The above error message wasn't specifically fixed, but may not be present in the current rawhide.
> Out of curiosity, which arch are you using? x86_64? Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to show up on 32-bits. :-) This is -22 if you will make that signed, 0xffffffffffffffea.
Reassigning bug. This problem is solved in the audit test kernels. The patches just need to go into the distributed kernels.
The latest kernels will filter out the audit messages, even though userspace really shouldn't be generating them unless specifically configured to do so.
I am having the same problem and its months later and just wanted to know if the patch was ever released... I am using Fedora Core 4... If it was released could you give me details of where to get it and how to install it plz... Nice one for coming up with a solution... Thanks