Red Hat Bugzilla – Bug 165610
Debug output in console
Last modified: 2007-11-30 17:11:11 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b3) Gecko/20050729 Fedora/1.1-0.2.5.deerpark.alpha2 Firefox/1.0+ Description of problem: Ever since an audit-libs update a few months ago i've been seeing debug output on the console whenever i log in or right after boot. i was expecting this to be fixed soon, since its pretty annoying and obvious (i've also seen this on my brother's computer after i upgraded it from FC3 to FC4, so its not just my box), but since it doesnt seem likely that its gonna be fixed soon (its been there since at least the release of FC4), i'll just file it as bug report... below i've attached some text of what i see on the first console after i have booted my computer and logged in. Version-Release number of selected component (if applicable): audit-libs-1.0.2-1.FC4 How reproducible: Always Steps to Reproduce: 1. boot a computer running FC4 2. log in Actual Results: something that looks like debug output is displayed on the console Expected Results: there should not have been debug output on the console Additional info: Fedora Core release 4 (Stentz) Kernel 2.6.12.4-fbs on an i686 chii login: audit(1123700534.284:0): user pid=2163 uid=0 length=144 loginuid=4294967295 msg='PAM bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=? result=User not known to the underlying authentication module)' mephisto Password: audit(1123700866.235:0): user pid=1954 uid=0 length=104 loginuid=4294967295 msg='PAM authentication: user=mephisto exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1123700866.235:0): user pid=1954 uid=0 length=100 loginuid=4294967295 msg='PAM accounting: user=mephisto exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1123700866.236:0): user pid=1954 uid=0 length=100 loginuid=4294967295 msg='PAM session open: user=mephisto exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1123700866.237:0): user pid=1954 uid=0 length=96 loginuid=4294967295 msg='PAM setcred: user=mephisto exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' Last login: Wed Aug 10 21:02:21 on :0 [mephisto@chii ~]$ su - Password: audit(1123700880.060:0): user pid=2493 uid=500 length=96 loginuid=4294967295 msg='PAM authentication: user=root exe="/bin/su" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1123700880.060:0): user pid=2493 uid=500 length=92 loginuid=4294967295 msg='PAM accounting: user=root exe="/bin/su" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1123700880.061:0): user pid=2493 uid=500 length=96 loginuid=4294967295 msg='PAM session open: user=root exe="/bin/su" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1123700880.061:0): user pid=2493 uid=500 length=88 loginuid=4294967295 msg='PAM setcred: user=root exe="/bin/su" (hostname=?, addr=?, terminal=tty1 result=Success)' [root@chii ~]#
This sounds like a kernel problem that might have been fixed. What kernel are you using? Do you have the audit daemon running?
i'm using a custom kernel, but the kernel wasn't the problem here. i didn't have the audit deamon installed. the problem went away after installing the audit package (i only had the libs) and starting the deamon. seems like it was just a dependency problem in the package then, cause the deamon doesn't get installed after an FC3->FC4 upgrade.
There is no dependency problem. The messages on the console stem from a kernel bug that may not have been patched. Installing the audit daemon was a temporary workaround that I was going to suggest.
What patch do i need to apply to my kernel to solve this problem? I'm using 2.6.12.4. And is that patch still necessary with the 2.6.13 series?
Most likely, kernel/audit.c, audit_receive_msg(), sb: case AUDIT_USER: case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: if (!audit_enabled && msg_type != AUDIT_USER_AVC) return 0; I don't know if this is upstream yet.
Why was this reassigned to the kernel? It's userspace which is violating the Fedora policies about working (properly) with the upstream and older kernels as much as possible. We shouldn't be generating these audit messages in the default case -- they should be generated only when the system is explicitly configured to do so. This bug should probably be cloned and assigned to pam, sshd, crond, etc. Or possibly fixed in audit-libs.
This bug was assigned to the kernel since the kernel is missing the above patch. But after further review, the reporter is using a custom kernel. I really can't solve that problem. The design of the system depends on the kernel making the decision about how to disposition the audit event. Upstream should have all the audit patches soon. The bug reporter found a workaround, booting with audit=0 might also help.