Bug 161533 – audit whines on a console

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 161533 - audit whines on a console

Summary:	audit whines on a console

Status:	CLOSED ERRATA

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	kernel (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	David Woodhouse
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2005-06-23 20:40 EDT by Michal Jaegermann
Modified:	2007-11-30 17:11 EST (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-09-07 06:17:03 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Michal Jaegermann 2005-06-23 20:40:38 EDT

Description of problem:

Every login on a console produces a series of messages like that:

audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM
authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM
accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session
open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)'
audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred:
user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)

As you can see the thingy is really repeatable without adding a shred
of a new information.

Also starting gdm results in the following dumped to a console:

audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM
bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=?
result=User not known to the underlying authentication module)'

On the top of it audit floods /var/log/messages with so much junk that
this logs becomes totally unusable.

I thought that this were results of recent problems with audit system
but after an update to the current ones does not clear the problem.

Version-Release number of selected component (if applicable):
audit-0.9.11-1
(audit-libs-0.9.11-1 are installed as some update pulled that in,
unfortunately, but audit-0.9.11-1 package itself is not as nothing
was requesting it).

How reproducible:
All the time.

Comment 1 Steve Grubb 2005-06-24 15:35:23 EDT

This is a kernel problem. We are looking at solutions. 

In the meantime, you can try the following workaround. Install the audit package
and configure /etc/auditd.conf to have:

num_logs = 2
max_log_file = 1

This will occupy 2mb of disk space and remove the messages from the console.

Comment 2 Michal Jaegermann 2005-06-25 12:27:23 EDT

Changing /etc/auditd.conf like in comment #1 and starting auditd indeed
looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log
and so far it looks that only there.

But 'service auditd start' ellicited the following error notification:

Error receiving watch list (Unknown error 18446744073709551594)
There was an error in line 5 of /etc/audit.rules

and /etc/audit.rules is as packaged.  It appears that somebody plays
fast and loose with signed and unsigned quantities.

Comment 3 Steve Grubb 2005-06-25 14:34:47 EDT

The message that you are seeing is due to functionality mismatch. There will be
a kernel released sometime in the future that will have the file system auditing
patched in. The same message was reported in bugzilla #161322.

Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit
0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The
above error message wasn't specifically fixed, but may not be present in the
current rawhide.

Comment 4 Michal Jaegermann 2005-06-26 02:40:11 EDT

> Out of curiosity, which arch are you using? x86_64?

Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to
show up on 32-bits. :-)  This is -22 if you will make that signed,
0xffffffffffffffea.

Comment 5 Steve Grubb 2005-07-01 07:25:09 EDT

Reassigning bug. This problem is solved in the audit test kernels. The patches
just need to go into the distributed kernels.

Comment 6 David Woodhouse 2005-09-07 06:17:03 EDT

The latest kernels will filter out the audit messages, even though userspace
really shouldn't be generating them unless specifically configured to do so.

Comment 7 dee 2006-03-29 06:25:14 EST

I am having the same problem and its months later and just wanted to know if the
patch was ever released... I am using Fedora Core 4... If it was released could
you give me details of where to get it and how to install it plz...

Nice one for coming up with a solution...

Thanks

Note You need to log in before you can comment on or make changes to this bug.