scary syslog message (from audit ?)

Richard Guy Briggs rgb at redhat.com
Thu Mar 13 02:14:21 UTC 2014 

On 14/03/12, Toralf F??rster wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Today I observed this in /var/log/messages with kernel 3.13.6 at a 32 bit Gentoo Linux :

You could try adding to /etc/audit/rules.d/audit.rules:

	-b 320

to increase the backlog limit (see: man auditctl)

> Mar 12 21:20:01 n22 crond[26813]: pam_unix(crond:session): session opened for user root by (uid=0)
> Mar 12 21:20:01 n22 kernel: type=1006 audit(1394655601.295:160): pid=26813 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=159 res=1
> Mar 12 21:20:01 n22 CROND[26816]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
> Mar 12 21:20:01 n22 CROND[26813]: pam_unix(crond:session): session closed for user root
> Mar 12 21:29:01 n22 CROND[25166]: pam_unix(crond:session): session closed for user root
> Mar 12 21:30:01 n22 crond[30053]: pam_unix(crond:session): session opened for user root by (uid=0)
> Mar 12 21:30:01 n22 CROND[30055]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
> Mar 12 21:30:01 n22 kernel: audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=64
> Mar 12 21:30:01 n22 kernel: type=1006 audit(1394656201.313:161): pid=30053 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=161 res=1
> Mar 12 21:30:01 n22 kernel: audit: printk limit exceeded
> Mar 12 21:30:01 n22 kernel: new ses=149 res=1
> 1
> 1
>  @ 40000 KHz), (N/A, 2000 mBm)
> <6>cfg80211:   (5250000 KHz - 5350000 KHz @ 40000 KHz), (N/A, 2000 mBm)
> <6>cfg80211:   (5470000 KHz - 5725000 KHz @ 40000 KHz), (N/A, 2698 mBm)
> <6>cfg80211:   (57240000 KHz - 65880000 KHz @ 2160000 KHz), (N/A, 4000 mBm)
> 00 mBm)
> <6>cfg80211: Calling CRDA for country: DE
> ulatory domain
> <6>PM: freeze of devices complete after 342.951 msecs
> <6>PM: late freeze of devices complete after 0.286 msecs
> <6>PM: noirq freeze of devices complete after 1.715 msecs
> <6>ACPI: Preparing to enter system sleep state S4
> <6>PM: Saving platform NVS memory
> <4>Disabling non-boot CPUs ...
> <6>kvm: disabling virtualization on CPU1
> <6>smpboot: CPU 1 is now offline
> <6>kvm: disabling virtualization on CPU2
> <6>smpboot: CPU 2 is now offline
> <6>kvm: disabling virtualization on CPU3
> <6>smpboot: CPU 3 is now offline
> <6>PM: Creating hibernation image:
> <6>PM: Need to copy 152202 pages
> <6>PM: Restoring platform NVS memory
> <6>Enabling non-boot CPUs ...
> <6>x86: Booting SMP configuration:
> <6>smpboot: Booting Node 0 Processor 1 APIC 0x1
> <6>Initializing CPU#1
> <6>Disabled fast string operations
> <6>kvm: enabling virtualization on CPU1
> <6>CPU1 is up
> <6>smpboot: Booting Node 0 Processor 2 APIC 0x2
> <6>Initializing CPU#2
> <6>Disabled fast string operations
> <6>kvm: enabling virtualization on CPU2
> <6>CPU2 is up
> <6>smpboot: Booting Node 0 Processor 3 APIC 0x3
> <6>Initializing CPU#3
> <6>Disabled fast string operations
> <6>kvm: enabling virtualization on CPU3
> <6>CPU3 is up
> <6>ACPI: Waking up from system sleep state S4
> <6>thinkpad_acpi: EC reports that Thermal Table has changed
> <6>PM: noirq restore of devices complete after 23.354 msecs
> <6>PM: early restore of devices complete after 0.211 msecs
> <4>usb usb1: root hub lost power or was reset
> <7>e1000e 0000:00:19.0: irq 41 for MSI/MSI-X
> <4>usb usb2: root hub lost power or was reset
> <7>snd_hda_intel 0000:00:1b.0: irq 44 for MSI/MSI-X
> <7>ehci-pci 0000:00:1a.0: cache line size of 64 is not supported
> <7>ehci-pci 0000:00:1d.0: cache line size of 64 is not supported
> <6>[drm] Wrong MCH_SSKPD value: 0x16040307
> <6>[drm] This can cause pipe underruns and display issues.
> <6>[drm] Please upgrade your BIOS to fix this.
> <6>ata5: SATA link down (SStatus 0 SControl 300)
> <6>ata2: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
> <6>ata4: SATA link down (SStatus 0 SControl 300)
> <6>ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
> <7>ata1.00: ACPI cmd ef/02:00:00:00:00:a0 (SET FEATURES) succeeded
> <6>ata1.00: ACPI cmd f5/00:00:00:00:00:a0 (SECURITY FREEZE LOCK) filtered out
> 
> <6>ata1.00: ACPI cmd ef/10:03:00:00:00:a0 (SET FEATURES) filtered out
> <7>ata2.00: ACPI cmd e3/00:1f:00:00:00:a0 (IDLE) succeeded
> <6>usb 1-1: reset high-speed USB device number 2 using ehci-pci
> <7>ata2.00: ACPI cmd e3/00:02:00:00:00:a0 (IDLE) succeeded
> <6>ata2.00: ACPI cmd ef/10:03:00:00:00:a0 (SET FEATURES) filtered out
> <7>ata1.00: ACPI cmd ef/02:00:00:00:00:a0 (SET FEATURES) succeeded
> <6>ata1.00: ACPI cmd f5/00:00:00:00:00:a0 (SECURITY FREEZE LOCK) filtered out
> <6>ata1.00: ACPI cmd ef/10:03:00:00:00:a0 (SET FEATURES) filtered out
> <6>ata1.00: configured for UDMA/100
> <7>ata2.00: ACPI cmd e3/00:1f:00:00:00:a0 (IDLE) succeeded
> <7>ata2.00: ACPI cmd e3/00:02:00:00:00:a0 (IDLE) succeeded
> <6>ata2.00: ACPI cmd ef/10:03:00:00:00:a0 (SET FEATURES) filtered out
> <6>ata2.00: configured for UDMA/33
> <5>sd 0:0:0:0: [sda] Starting disk
> <6>usb 2-1: reset high-speed USB device number 2 using ehci-pci
> <6>usb 1-1.1: reset high-speed USB device number 3 using ehci-pci
> <6>usb 1-1.6: reset high-speed USB device number 5 using ehci-pci
> <6>usb 1-1.4: reset full-speed USB device number 4 using ehci-pci
> <6>usb 2-1.2: reset high-speed USB device number 3 using ehci-pci
> <6>usb 2-1.5: reset full-speed USB device number 4 using ehci-pci
> <6>usb 2-1.2.1: reset low-speed USB device number 5 using ehci-pci
> <6>[drm] Enabling RC6 states: RC6 on, RC6p on, RC6pp on
> <6>usb 2-1.2.3: reset low-speed USB device number 7 using ehci-pci
> <6>iwlwifi 0000:03:00.0: L1 Enabled; Disabling L0S
> <6>iwlwifi 0000:03:00.0: Radio type=0x1-0x2-0x0
> <6>usb 2-1.2.2: reset full-speed USB device number 6 using ehci-pci
> <6>usblp0: removed
> <6>PM: restore of devices complete after 2649.424 msecs
> <6>usblp 2-1.2.2:1.0: usblp0: USB Bidirectional printer dev 6 if 0 alt 0 proto 2 vid 0x043D pid 0x0078
> <4>Restarting tasks ... done.
> <6>video LNXVIDEO:00: Restoring backlight state
> <6>wlp3s0: authenticate with 08:96:d7:05:f9:2a
> <6>wlp3s0: send auth to 08:96:d7:05:f9:2a (try 1/3)
> <6>wlp3s0: authenticated
> <6>wlp3s0: associate with 08:96:d7:05:f9:2a (try 1/3)
> <6>wlp3s0: RX AssocResp from 08:96:d7:05:f9:2a (capab=0x431 status=0 aid=1)
> <6>wlp3s0: associated
> :
> Mar 12 21:30:01 n22 crond[30054]: pam_unix(crond:session): session opened for user root by (uid=0)
> Mar 12 21:30:01 n22 CROND[30060]: (root) CMD (/usr/lib/sa/sa1 60 15 )
> Mar 12 21:30:01 n22 CROND[30053]: pam_unix(crond:session): session closed for user root
> Mar 12 21:37:04 n22 su[32414]: Successful su for root by root
> Mar 12 21:37:04 n22 su[32414]: + /dev/pts/9 root:root
> Mar 12 21:37:04 n22 su[32414]: pam_unix(su:session): session opened for user root by tfoerste(uid=0)
> 
> 
> - -- 
> MfG/Sincerely
> Toralf F??rster
> pgp finger print:1A37 6F99 4A9D 026F 13E2 4DCF C4EA CDDE 0076 E94E
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iF4EAREIAAYFAlMgxp8ACgkQxOrN3gB26U5bkAD/Y3QuDUvzyFSNH15MzbRaAeMZ
> +jBeoy2MlW3olxEcp68A/1pG4NeNhNm0vzSNL1BRaLQnUSTrPgnTaHziqqJOrXwh
> =8UJV
> -----END PGP SIGNATURE-----
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

More information about the Linux-audit mailing list