[SOLVED] Kernel audit msg flooding after yum update

yitpong · 03-14-2011, 02:48 AM

selinux and psacct is disabled in this system (RHEL5.6 2.6.18-194.11.3.el5 SMP x86_64).

After performing a yum update, the syslog is flooded with kernel audit messages (related to PAM), even though audit service is turned off.

Is there a way to disable this verbosity?

[ Sample of /var/log/messages ]
Mar 14 14:49:32 svr10 kernel: type=1103 audit(1300085372.192:183805): user pid=24632 uid=0 auid=0 subj=kernel msg='PAM: setcred acct="root" : exe="/usr/sbin/sshd" (hostname=172.16.4.101, addr=172.16.4.101, terminal=ssh res=success)'
Mar 14 14:49:32 svr10 kernel: type=1006 audit(1300085372.200:183806): login pid=24632 uid=0 old auid=0 new auid=0 old ses=27923 new ses=29597
Mar 14 14:49:32 svr10 kernel: type=1105 audit(1300085372.200:183807): user pid=24632 uid=0 auid=0 subj=kernel msg='PAM: session open acct="root" : exe="/usr/sbin/sshd" (hostname=172.16.4.101, addr=172.16.4.101, terminal=ssh res=success)'
Mar 14 14:49:32 svr10 kernel: type=1112 audit(1300085372.204:183808): user pid=24634 uid=0 auid=0 subj=kernel msg='uid=0: exe="/usr/sbin/sshd" (hostname=172.16.4.101, addr=172.16.4.101, terminal=/dev/pts/0 res=success)'
Mar 14 14:49:32 svr10 kernel: type=1110 audit(1300085372.211:183809): user pid=24634 uid=0 auid=0 subj=kernel msg='PAM: setcred acct="root" : exe="/usr/sbin/sshd" (hostname=172.16.4.101, addr=172.16.4.101, terminal=ssh res=success)'
Mar 14 15:01:01 svr10 kernel: type=1006 audit(1300086061.131:183821): login pid=24748 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=29600
Mar 14 15:01:01 svr10 kernel: type=1105 audit(1300086061.136:183822): user pid=24747 uid=0 auid=0 subj=kernel msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
Mar 14 15:01:01 svr10 kernel: type=1105 audit(1300086061.138:183823): user pid=24748 uid=0 auid=0 subj=kernel msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
Mar 14 15:01:01 svr10 kernel: type=1104 audit(1300086061.149:183824): user pid=24747 uid=0 auid=0 subj=kernel msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
Mar 14 15:01:01 svr10 kernel: type=1106 audit(1300086061.150:183825): user pid=24747 uid=0 auid=0 subj=kernel msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

corp769 · 03-14-2011, 04:32 AM

If you can, go through your /var/log/messages and post the packages that you updated prior to getting these messages, it will assist in troubleshooting.

Josh

yitpong · 03-14-2011, 09:07 AM

I found the solution!

http://www.vickysguide.com/audit-sti...en-when-stoped