Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161533 - audit whines on a console
Summary: audit whines on a console
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Woodhouse
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-24 00:40 UTC by Michal Jaegermann
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-07 10:17:03 UTC


Attachments (Terms of Use)

Description Michal Jaegermann 2005-06-24 00:40:38 UTC
Description of problem:

Every login on a console produces a series of messages like that:

audit(1119561802.446:51): user pid=17297 uid=0 auid=4294967295 msg='PAM
authentication: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.447:52): user pid=17297 uid=0 auid=4294967295 msg='PAM
accounting: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1
result=Success)'
audit(1119561802.448:53): user pid=17297 uid=0 auid=4294967295 msg='PAM session
open: user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)'
audit(1119561802.448:54): user pid=17297 uid=0 auid=4294967295 msg='PAM setcred:
user=root exe="/bin/login" (hostname=?, addr=?, terminal=tty1 result=Success)

As you can see the thingy is really repeatable without adding a shred
of a new information.

Also starting gdm results in the following dumped to a console:

audit(1119562062.364:55): user pid=17583 uid=0 auid=4294967295 msg='PAM
bad_ident: user=? exe="/usr/bin/gdm-binary" (hostname=?, addr=?, terminal=?
result=User not known to the underlying authentication module)'

On the top of it audit floods /var/log/messages with so much junk that
this logs becomes totally unusable.

I thought that this were results of recent problems with audit system
but after an update to the current ones does not clear the problem.

Version-Release number of selected component (if applicable):
audit-0.9.11-1
(audit-libs-0.9.11-1 are installed as some update pulled that in,
unfortunately, but audit-0.9.11-1 package itself is not as nothing
was requesting it).

How reproducible:
All the time.

Comment 1 Steve Grubb 2005-06-24 19:35:23 UTC
This is a kernel problem. We are looking at solutions. 

In the meantime, you can try the following workaround. Install the audit package
and configure /etc/auditd.conf to have:

num_logs = 2
max_log_file = 1

This will occupy 2mb of disk space and remove the messages from the console.

Comment 2 Michal Jaegermann 2005-06-25 16:27:23 UTC
Changing /etc/auditd.conf like in comment #1 and starting auditd indeed
looks helpful. Thanks. Audit messages accumulate now in var/log/audit/audit.log
and so far it looks that only there.

But 'service auditd start' ellicited the following error notification:

Error receiving watch list (Unknown error 18446744073709551594)
There was an error in line 5 of /etc/audit.rules

and /etc/audit.rules is as packaged.  It appears that somebody plays
fast and loose with signed and unsigned quantities.

Comment 3 Steve Grubb 2005-06-25 18:34:47 UTC
The message that you are seeing is due to functionality mismatch. There will be
a kernel released sometime in the future that will have the file system auditing
patched in. The same message was reported in bugzilla #161322.

Out of curiosity, which arch are you using? x86_64? Just curious. Also, audit
0.9.14 has all known bugs fixed and it likely to be a FC4 update candidate. The
above error message wasn't specifically fixed, but may not be present in the
current rawhide.

Comment 4 Michal Jaegermann 2005-06-26 06:40:11 UTC
> Out of curiosity, which arch are you using? x86_64?

Yes. indeed, x86_64. Numbers like 18446744073709551594 are not likely to
show up on 32-bits. :-)  This is -22 if you will make that signed,
0xffffffffffffffea.

Comment 5 Steve Grubb 2005-07-01 11:25:09 UTC
Reassigning bug. This problem is solved in the audit test kernels. The patches
just need to go into the distributed kernels.

Comment 6 David Woodhouse 2005-09-07 10:17:03 UTC
The latest kernels will filter out the audit messages, even though userspace
really shouldn't be generating them unless specifically configured to do so.

Comment 7 dee 2006-03-29 11:25:14 UTC
I am having the same problem and its months later and just wanted to know if the
patch was ever released... I am using Fedora Core 4... If it was released could
you give me details of where to get it and how to install it plz...

Nice one for coming up with a solution...

Thanks


Note You need to log in before you can comment on or make changes to this bug.