Problem with start of auditd on 2.6.13-2smp machine
Steve Grubb
sgrubb at redhat.com
Tue Jan 10 19:13:47 UTC 2006
On Tuesday 10 January 2006 13:48, Lisa Giacchetti wrote:
> Technically I do not need file system auditing. My primary goal is
> to get rid of the thouands of messages in /var/log/messages of the
> type:
The patches that we sent upstream did not go in a terribly organized way.
There was a patch specifically to stop user space originating audit messages
when the audit system was disabled. I think you may need 2.6.14 to have that
patch.
In any event, the audit daemon enables auditing on startup. So, just doing
"chkconfig --levels auditd 2345 off" should do it. The RHEL4 audit package
shipped with the audit daemon disabled, so it got enabled somehow.
> The system is based on RHEL4. It comes with audit-0.5-1 and
> audit-libs-1.0.3-6.EL4 installed.
0.5 was an empty package.
> I have found that upgrading to the newer version, audit-1.0.3-6.EL4,
> moves the audit messages above to /var/log/audit/audit.log.
> Even with the error at start, this is accomplished.
Using 1.0.3 might be the best solution if you have a kernel without the patch
to stop user space originating messages. Just set the log size low and tell
it to suspend logging when the file gets too big.
flush = INCREMENTAL
freq = 50
num_logs = 2
max_log_file = 1
max_log_file_action = SUSPEND
-Steve
More information about the Linux-audit
mailing list