excessive crond PAM messages in audit.log

Nicholas Nachefski nnachefski at gmail.com
Mon Nov 2 16:54:38 UTC 2009 

I'm looking for a way to silence frequent messages attributed to crond in my
audit.log files.

Here is a snippet of the messages i would like to filter:

type=*USER_ACCT* msg=audit(10/20/2009 16:10:01.608:10196) : user pid=30783
uid=root auid=unset msg='PAM: accounting acct=root :
exe=*/usr/sbin/crond *(hostname=?,
addr=?, terminal=cron res=success)'
type=*CRED_ACQ* msg=audit(10/20/2009 16:10:01.608:10197) : user pid=30783
uid=root auid=unset msg='PAM: setcred acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'
type=*USER_START* msg=audit(10/20/2009 16:10:01.612:10199) : user pid=30783
uid=root auid=root msg='PAM: session open acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'
type=*CRED_DISP* msg=audit(10/20/2009 16:10:01.656:10200) : user pid=30783
uid=root auid=root msg='PAM: setcred acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'
type=*USER_END* msg=audit(10/20/2009 16:10:01.656:10201) : user pid=30783
uid=root auid=root msg='PAM: session close acct=root :
exe=*/usr/sbin/crond*(hostname=?, addr=?, terminal=cron res=success)'

I literally get tens-of-thousands of these a day in my consolidated
audit.log (via audisp-remote).  All five of these events get dumped to the
audit log every time crond is executed.

The reasoning behind this is that some of my customers are under regulations
that dictate security logs such as these are responded to and classified
within a certain time frame.  This is obviously a problem due to the
frequency of these messages.

I've looked over every associated PAM module and corresponding options with
no luck.  I also picked through as many auditd man pages i could find.

The only thing i was able to dig up was the ability to 'exclude' certain
message types with an audit rule.

For example, I could exclude all USER_ACCT, CRED_ACQ, USER_START, CRED_DISP,
and USER_END message types, however, that would weaken the overall security
posture as some critical messages would get filtered.

Any help would be greatly appreciated.

Thanks!
-Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20091102/14a67871/attachment.htm>

More information about the Linux-audit mailing list