[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem with start of auditd on 2.6.13-2smp machine



Steve Grubb wrote:
On Tuesday 10 January 2006 13:48, Lisa Giacchetti wrote:

  Technically I do not need file system auditing. My primary goal is
to get rid of the thouands of messages in /var/log/messages of the
type:


The patches that we sent upstream did not go in a terribly organized way. There was a patch specifically to stop user space originating audit messages when the audit system was disabled. I think you may need 2.6.14 to have that patch. In any event, the audit daemon enables auditing on startup. So, just doing "chkconfig --levels auditd 2345 off" should do it. The RHEL4 audit package shipped with the audit daemon disabled, so it got enabled somehow.

I did this first. ;-)

With audit-0.5-1 there is nothing to chkconfig off. (makes sense if that
was an empty package.
So I installed 1.0.3-6 which did have auditd chkconfig'd off by default.
Add I rebooted. It did not work. Well I should say that auditd is not running but the messages are still there.


The system is based on RHEL4. It comes with audit-0.5-1 and
audit-libs-1.0.3-6.EL4 installed.


0.5 was an empty package.


I have found that upgrading to the newer version, audit-1.0.3-6.EL4,
moves the audit messages above to /var/log/audit/audit.log.
Even with the error at start, this is accomplished.


Using 1.0.3 might be the best solution if you have a kernel without the patch to stop user space originating messages. Just set the log size low and tell it to suspend logging when the file gets too big.

flush = INCREMENTAL
freq = 50
num_logs = 2
max_log_file = 1
max_log_file_action = SUSPEND


Won't I still have the problem of the error on start up?
Its like the -D option on line 5 is not a recognized option.
I really don't care about the error as long as I know that
things are configured to not really start auditing.
(although it is slightly annoying and can be confusing for some
at boot time to see that if they are not used to the system).
And as I said starting auditd moves the messages to /var/log/audit/audit.log which is fine. At least they are not
cluttering up /var/log/messages.

Thanks for all your help.

Lisa

-Steve



--

Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]