audit messages when there's no audit daemon
Steve Grubb
sgrubb at redhat.com
Sun Jun 19 18:12:21 UTC 2005
Hi,
I spent my weekend researching this:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160929
I think I have a solution for the original "I can't log in" problem. There is
a new one, though. It seems that the user space audit messages go to the
screen after login when they don't have an audit daemon running. This leads
to 4 pam state messages immediately on login, messages when you run a trusted
app like passwd, or whenever hwclock runs. This is not desirable.
Looking at the source code in audit.c, kauditd_thread:
printk(KERN_ERR "%s\n", skb->data + NLMSG_SPACE(0));
Do we need the priority level to be that high or should it be either:
1) user adjustable: all messages types same priority
2) only AVC, USER_AVC, & SE_LINUX_ERR get that level - everything else is
LOG_INFO so that syslog can optionally discard the messages
3) both meaning there are 3 knobs: SE Linux has user adjustable priority, file
system and sycall has a user adjustable priority, and everything else has
another.
I think we've overlooked this minor usability issue. It really is ugly when
there's no audit daemon.
-Steve
More information about the Linux-audit
mailing list