Gerry
9 February 2022 18:59
1
Hi all,
my syslog-ng is full of kernel audit messages. How can I stop this ?
I followed this guide Link , but none recipe did work.
I do not care for kernel audits every 10 mins. A one time kernel audit at boot time is enough.
br and thanks to all devs for CE !
Gerry
Gerry
11 February 2022 16:57
3
Thanks for taking care:
This is the sequence repeating every 10 mins:
Feb 11 00:00:01 SERVER kernel: [191472.278212@0] audit: type=1101 audit(1644534001.694:3053): pid=7525 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
Feb 11 00:00:01 SERVER kernel: [191472.278297@0] audit: type=1101 audit(1644534001.698:3054): pid=7524 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:accounting grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
Feb 11 00:00:01 SERVER kernel: [191472.279510@0] audit: type=1103 audit(1644534001.702:3055): pid=7525 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
Feb 11 00:00:01 SERVER kernel: [191472.279966@0] audit: type=1006 audit(1644534001.702:3056): pid=7525 uid=0 subj=kernel old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=485 res=1
Feb 11 00:00:01 SERVER kernel: [191472.282570@1] audit: type=1105 audit(1644534001.702:3057): pid=7525 uid=0 auid=0 ses=485 subj=kernel msg='op=PAM:session_open grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
Feb 11 00:00:01 SERVER kernel: [191472.283300@1] audit: type=1103 audit(1644534001.706:3058): pid=7524 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
Feb 11 00:00:01 SERVER kernel: [191472.283617@1] audit: type=1006 audit(1644534001.706:3059): pid=7524 uid=0 subj=kernel old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=486 res=1
Feb 11 00:00:01 SERVER kernel: [191472.284493@1] audit: type=1105 audit(1644534001.706:3060): pid=7524 uid=0 auid=0 ses=486 subj=kernel msg='op=PAM:session_open grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
Feb 11 00:00:01 SERVER kernel: [191472.421542@3] audit: type=1104 audit(1644534001.842:3061): pid=7524 uid=0 auid=0 ses=486 subj=kernel msg='op=PAM:setcred grantors=pam_permit acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
Feb 11 00:00:01 SERVER kernel: [191472.421697@3] audit: type=1106 audit(1644534001.842:3062): pid=7524 uid=0 auid=0 ses=486 subj=kernel msg='op=PAM:session_close grantors=pam_loginuid,pam_env,pam_env,pam_permit,pam_unix,pam_limits acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
vpeter
11 February 2022 17:17
4
And where is the syslog-ng? I donât see it on CE.
Gerry
12 February 2022 10:30
5
âsyslog-ngâ is indeed no part of coreelec, just a collector for various logs.
Kernel log âdmesgâ is redirected in my system to syslog-ng. Sorry not to be specific.
âdmesgâ brings out the same messages.
Problem with this messageflood is that its very hard to find real problems.
vpeter
12 February 2022 10:36
6
I think I did understand the problem from start but just like the confirmation.
As I can see this messages comes from running some cron job? Seems you have something set which is not by default because I donât see such messages on my device (not in dmesg or journalctl).
1 Like
Gerry
14 February 2022 09:45
7
Thx,
crontab was also my suspect, but âcrontab -lâ shows only my own cronjobs, nothing with auditd.
My suspect now is âDockerâ or some of its containers. So I will try to stop/disable them and try if
the messages disappear.
Thanks for now !
Gerry
system
Closed
28 February 2022 09:46
8
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.