|Summary:||audit whines on a console|
|Product:||[Fedora] Fedora||Reporter:||Michal Jaegermann <michal>|
|Component:||kernel||Assignee:||David Woodhouse <dwmw2>|
|Status:||CLOSED ERRATA||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2005-09-07 10:17:03 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Michal Jaegermann 2005-06-24 00:40:38 UTC
Description of problem: Every login on a console produces a series of messages like that: audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)' audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success) As you can see the thingy is really repeatable without adding a shred of a new information. Also starting gdm results in the following dumped to a console: audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=? result=User not known to the underlying authentication module)' On the top of it audit floods /var/log/messages with so much junk that this logs becomes totally unusable. I thought that this were results of recent problems with audit system but after an update to the current ones does not clear the problem. Version-Release number of selected component (if applicable): audit-0.9.11-1 (audit-libs-0.9.11-1 are installed as some update pulled that in, unfortunately, but audit-0.9.11-1 package itself is not as nothing was requesting it). How reproducible: All the time.
Comment 1 Steve Grubb 2005-06-24 19:35:23 UTC
This is a kernel problem. We are looking at solutions. In the meantime, you can try the following workaround. Install the audit package and configure /etc/auditd.conf to have: num_logs = 2 max_log_file = 1 This will occupy 2mb of disk space and remove the messages from the console.
Comment 2 Michal Jaegermann 2005-06-25 16:27:23 UTC
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log and so far it looks that only there. But 'service auditd start' ellicited the following error notification: Error receiving watch list (Unknown error 18446744073709551594) There was an error in line 5 of /etc/audit.rules and /etc/audit.rules is as packaged. It appears that somebody plays fast and loose with signed and unsigned quantities.
Comment 3 Steve Grubb 2005-06-25 18:34:47 UTC
The message that you are seeing is due to functionality mismatch. There will be a kernel released sometime in the future that will have the file system auditing patched in. The same message was reported in bugzilla #161322. Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit 0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The above error message wasn't specifically fixed, but may not be present in the current rawhide.
Comment 4 Michal Jaegermann 2005-06-26 06:40:11 UTC
> Out of curiosity, which arch are you using? x86_64? Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to show up on 32-bits. :-) This is -22 if you will make that signed, 0xffffffffffffffea.
Comment 5 Steve Grubb 2005-07-01 11:25:09 UTC
Reassigning bug. This problem is solved in the audit test kernels. The patches just need to go into the distributed kernels.
Comment 6 David Woodhouse 2005-09-07 10:17:03 UTC
The latest kernels will filter out the audit messages, even though userspace really shouldn't be generating them unless specifically configured to do so.
Comment 7 dee 2006-03-29 11:25:14 UTC
I am having the same problem and its months later and just wanted to know if the patch was ever released... I am using Fedora Core 4... If it was released could you give me details of where to get it and how to install it plz... Nice one for coming up with a solution... Thanks