Bug 235869 - audit whines on a console
audit whines on a console
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Paris
Martin Jenner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-10 11:57 EDT by Peter Bieringer
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-01 15:19:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2007-04-10 11:57:37 EDT
Looks like this bug hits me on RHEL4

kernel-2.6.9-42.0.10.EL

Tracking down, since when the messages on my system appear, it was the first
time, I started the auditd:

boot.log tells me:
Mar 22 18:14:43 s auditd: auditd shutdown failed
Mar 22 18:14:43 s auditd: auditd startup succeeded
Mar 22 18:15:07 s auditd: auditd shutdown succeeded
Mar 22 18:15:56 s auditd: auditd startup succeeded
Mar 22 18:16:04 s auditd: auditd shutdown succeeded
Mar 22 18:16:09 s auditd: auditd startup succeeded
Mar 22 18:16:20 s auditd: auditd shutdown succeeded
Mar 22 18:21:24 s auditd: auditd shutdown failed

kernel log tells me:
Mar 22 18:15:07 s audit(1174583707.156:4085): audit_pid=0 old=15171 by
auid=4294967295

Since this first start of auditd, logging to kernel won't stop anymore, even if
auditd is stopped again.
Mar 22 18:20:01 s audit(1174584001.941:4103): user pid=15667...

Do I need to reboot the system now to stop this logging?

+++ This bug was initially created as a clone of Bug #161533 +++

Description of problem:

Every login on a console produces a series of messages like that:

audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM
authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM
accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session
open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)'
audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred:
user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)

As you can see the thingy is really repeatable without adding a shred
of a new information.

Also starting gdm results in the following dumped to a console:

audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM
bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=?
result=User not known to the underlying authentication module)'

On the top of it audit floods /var/log/messages with so much junk that
this logs becomes totally unusable.

I thought that this were results of recent problems with audit system
but after an update to the current ones does not clear the problem.

Version-Release number of selected component (if applicable):
audit-0.9.11-1
(audit-libs-0.9.11-1 are installed as some update pulled that in,
unfortunately, but audit-0.9.11-1 package itself is not as nothing
was requesting it).

How reproducible:
All the time.

-- Additional comment from sgrubb@redhat.com on 2005-06-24 15:35 EST --
This is a kernel problem. We are looking at solutions. 

In the meantime, you can try the following workaround. Install the audit package
and configure /etc/auditd.conf to have:

num_logs = 2
max_log_file = 1

This will occupy 2mb of disk space and remove the messages from the console.

-- Additional comment from michal@harddata.com on 2005-06-25 12:27 EST --
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed
looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log
and so far it looks that only there.

But 'service auditd start' ellicited the following error notification:

Error receiving watch list (Unknown error 18446744073709551594)
There was an error in line 5 of /etc/audit.rules

and /etc/audit.rules is as packaged.  It appears that somebody plays
fast and loose with signed and unsigned quantities.

-- Additional comment from sgrubb@redhat.com on 2005-06-25 14:34 EST --
The message that you are seeing is due to functionality mismatch. There will be
a kernel released sometime in the future that will have the file system auditing
patched in. The same message was reported in bugzilla #161322.

Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit
0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The
above error message wasn't specifically fixed, but may not be present in the
current rawhide.

-- Additional comment from michal@harddata.com on 2005-06-26 02:40 EST --
> Out of curiosity, which arch are you using? x86_64?

Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to
show up on 32-bits. :-)  This is -22 if you will make that signed,
0xffffffffffffffea.

-- Additional comment from sgrubb@redhat.com on 2005-07-01 07:25 EST --
Reassigning bug. This problem is solved in the audit test kernels. The patches
just need to go into the distributed kernels.

-- Additional comment from dwmw2@redhat.com on 2005-09-07 06:17 EST --
The latest kernels will filter out the audit messages, even though userspace
really shouldn't be generating them unless specifically configured to do so.

-- Additional comment from deedog@gmail.com on 2006-03-29 06:25 EST --
I am having the same problem and its months later and just wanted to know if the
patch was ever released... I am using Fedora Core 4... If it was released could
you give me details of where to get it and how to install it plz...

Nice one for coming up with a solution...

Thanks
Comment 1 Steve Grubb 2007-06-04 20:16:48 EDT
All the bugs that you copied into this bz have been solved long ago and should
not be relavent. If you do not want any audit messages at all, do not start the
audit daemon. You should not have any.

If you do want audit messages, you need to run the audit daemon and they will
not be in syslog. If the audit daemon is not running, they go to syslog as long
as the audit system is enabled. If you stop the audit daemon and want the audit
messages to stop, do "auditctl -e 0" to disable the audit system. That should do it.
Comment 2 Eric Paris 2007-10-01 15:19:47 EDT
I'm gonig to close this as NOTABUG since I don't see anything to fix.  If there
is still something in particular that is a problem please re-open and I will
take a look.

Note You need to log in before you can comment on or make changes to this bug.