Problem with start of auditd on 2.6.13-2smp machine

Lisa Giacchetti lisa at fnal.gov
Tue Jan 10 19:31:26 UTC 2006 

Steve Grubb wrote:
> On Tuesday 10 January 2006 13:48, Lisa Giacchetti wrote:
> 
>>   Technically I do not need file system auditing. My primary goal is
>>to get rid of the thouands of messages in /var/log/messages of the
>>type:
> 
> 
> The patches that we sent upstream did not go in a terribly organized way. 
> There was a patch specifically to stop user space originating audit messages 
> when the audit system was disabled. I think you may need 2.6.14 to have that 
> patch. 
> 
> In any event, the audit daemon enables auditing on startup. So, just doing 
> "chkconfig --levels auditd 2345 off" should do it. The RHEL4 audit package 
> shipped with the audit daemon disabled, so it got enabled somehow.
> 
I did this first. ;-)

With audit-0.5-1 there is nothing to chkconfig off. (makes sense if that
was an empty package.
So I installed 1.0.3-6 which did have auditd chkconfig'd off by default.
Add I rebooted. It did not work. Well I should say that auditd is not 
running but the messages are still there.

> 
>>The system is based on RHEL4. It comes with audit-0.5-1 and
>>audit-libs-1.0.3-6.EL4 installed.
> 
> 
> 0.5 was an empty package.
> 
> 
>>I have found that upgrading to the newer version, audit-1.0.3-6.EL4,
>>moves the audit messages above to /var/log/audit/audit.log.
>>Even with the error at start, this is accomplished.
> 
> 
> Using 1.0.3 might be the best solution if you have a kernel without the patch 
> to stop user space originating messages. Just set the log size low and tell 
> it to suspend logging when the file gets too big.
> 
> flush = INCREMENTAL
> freq = 50
> num_logs = 2
> max_log_file = 1
> max_log_file_action = SUSPEND
> 

Won't I still have the problem of the error on start up?
Its like the -D option on line 5 is not a recognized option.
I really don't care about the error as long as I know that
things are configured to not really start auditing.
(although it is slightly annoying and can be confusing for some
at boot time to see that if they are not used to the system).
And as I said starting auditd moves the messages to 
/var/log/audit/audit.log which is fine. At least they are not
cluttering up /var/log/messages.

Thanks for all your help.

Lisa

> -Steve



-- 

Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023

More information about the Linux-audit mailing list