Red Hat Bugzilla – Bug 235869
audit whines on a console
Last modified: 2007-11-30 17:07:29 EST
Looks like this bug hits me on RHEL4
Tracking down, since when the messages on my system appear, it was the first
time, I started the auditd:
boot.log tells me:
Mar 22 18:14:43 s auditd: auditd shutdown failed
Mar 22 18:14:43 s auditd: auditd startup succeeded
Mar 22 18:15:07 s auditd: auditd shutdown succeeded
Mar 22 18:15:56 s auditd: auditd startup succeeded
Mar 22 18:16:04 s auditd: auditd shutdown succeeded
Mar 22 18:16:09 s auditd: auditd startup succeeded
Mar 22 18:16:20 s auditd: auditd shutdown succeeded
Mar 22 18:21:24 s auditd: auditd shutdown failed
kernel log tells me:
Mar 22 18:15:07 s audit(1174583707.156:4085): audit_pid=0 old=15171 by
Since this first start of auditd, logging to kernel won't stop anymore, even if
auditd is stopped again.
Mar 22 18:20:01 s audit(1174584001.941:4103): user pid=15667...
Do I need to reboot the system now to stop this logging?
+++ This bug was initially created as a clone of Bug #161533 +++
Description of problem:
Every login on a console produces a series of messages like that:
audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM
authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM
accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session
open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)'
audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred:
user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)
As you can see the thingy is really repeatable without adding a shred
of a new information.
Also starting gdm results in the following dumped to a console:
audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM
bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=?
result=User not known to the underlying authentication module)'
On the top of it audit floods /var/log/messages with so much junk that
this logs becomes totally unusable.
I thought that this were results of recent problems with audit system
but after an update to the current ones does not clear the problem.
Version-Release number of selected component (if applicable):
(audit-libs-0.9.11-1 are installed as some update pulled that in,
unfortunately, but audit-0.9.11-1 package itself is not as nothing
was requesting it).
All the time.
-- Additional comment from firstname.lastname@example.org on 2005-06-24 15:35 EST --
This is a kernel problem. We are looking at solutions.
In the meantime, you can try the following workaround. Install the audit package
and configure /etc/auditd.conf to have:
num_logs = 2
max_log_file = 1
This will occupy 2mb of disk space and remove the messages from the console.
-- Additional comment from email@example.com on 2005-06-25 12:27 EST --
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed
looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log
and so far it looks that only there.
But 'service auditd start' ellicited the following error notification:
Error receiving watch list (Unknown error 18446744073709551594)
There was an error in line 5 of /etc/audit.rules
and /etc/audit.rules is as packaged. It appears that somebody plays
fast and loose with signed and unsigned quantities.
-- Additional comment from firstname.lastname@example.org on 2005-06-25 14:34 EST --
The message that you are seeing is due to functionality mismatch. There will be
a kernel released sometime in the future that will have the file system auditing
patched in. The same message was reported in bugzilla #161322.
Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit
0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The
above error message wasn't specifically fixed, but may not be present in the
-- Additional comment from email@example.com on 2005-06-26 02:40 EST --
> Out of curiosity, which arch are you using? x86_64?
Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to
show up on 32-bits. :-) This is -22 if you will make that signed,
-- Additional comment from firstname.lastname@example.org on 2005-07-01 07:25 EST --
Reassigning bug. This problem is solved in the audit test kernels. The patches
just need to go into the distributed kernels.
-- Additional comment from email@example.com on 2005-09-07 06:17 EST --
The latest kernels will filter out the audit messages, even though userspace
really shouldn't be generating them unless specifically configured to do so.
-- Additional comment from firstname.lastname@example.org on 2006-03-29 06:25 EST --
I am having the same problem and its months later and just wanted to know if the
patch was ever released... I am using Fedora Core 4... If it was released could
you give me details of where to get it and how to install it plz...
Nice one for coming up with a solution...
All the bugs that you copied into this bz have been solved long ago and should
not be relavent. If you do not want any audit messages at all, do not start the
audit daemon. You should not have any.
If you do want audit messages, you need to run the audit daemon and they will
not be in syslog. If the audit daemon is not running, they go to syslog as long
as the audit system is enabled. If you stop the audit daemon and want the audit
messages to stop, do "auditctl -e 0" to disable the audit system. That should do it.
I'm gonig to close this as NOTABUG since I don't see anything to fix. If there
is still something in particular that is a problem please re-open and I will
take a look.