Bug 19797 - Logs flooded by audit messages (pam messages)
Summary: Logs flooded by audit messages (pam messages)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: All Packagers
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-15 23:11 CET by Anne Nicolas
Modified: 2017-01-06 16:36 CET (History)
2 users (show)

See Also:
Source RPM: audit?
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Anne Nicolas 2016-11-15 23:11:33 CET 
Using Cauldron on a daily base, all is ok except logs which are flooded by audit such as:

[ 1373.047621] audit: type=1105 audit(1479247844.983:706): pid=5665 uid=0 auid=1000 ses=3 msg='op=PAM:session_open grantors=pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'

it seems pam_tty_audit is enabled and I did not find for now where to disable it
Comment 1 Rémi Verschelde 2016-11-15 23:13:05 CET 
Not sure yet if the issue is with audit itself or something that triggers it, so assigning to all packagers and CC'ing audit maintainer.

CC: (none) => shlomif
Assignee: bugsquad => pkg-bugs
Source RPM: (none) => audit?

Comment 2 Thomas Backlund 2016-11-16 09:13:11 CET 
iirc it's systemd that started triggering all theese audit logs, with the "if its there, use it" mantra... and "if you dont like it, boot with audit=0"

CC: (none) => tmb

Comment 3 Anne Nicolas 2016-12-01 08:54:57 CET 
What about using audit=0 by default in our installation. Then if needed it should be removed. I'm not sure it's that usefull for standard users. WDYT?
Comment 4 Rémi Verschelde 2016-12-01 08:57:25 CET 
I'm all for it, my dmesg is so spammed by stuff like this that it's unreadable:

[  958.759708] audit: type=1105 audit(1480573902.862:166): pid=30050 uid=1000 auid=1000 ses=3 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/pkexec" hostname=? addr=? terminal=? res=success'
[ 4266.829639] audit_printk_skb: 6 callbacks suppressed
[ 4266.829642] audit: type=1130 audit(1480577210.699:169): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Comment 5 Anne Nicolas 2017-01-06 16:36:41 CET 
fix in commit 1ea7c5a1099fb73823cf4fea7e46328945fa4f81 
add audit=0 in cmdline

diff --git a/images/grub2.config b/images/grub2.config
index 3637236..c6db07f 100644
--- a/images/grub2.config
+++ b/images/grub2.config
@@ -23,7 +23,7 @@ set timeout=10
 search --no-floppy --set=root -l 'Mageia-6-x86_64-netinstall'
 
 menuentry 'Start Mageia 6 (Cauldron) Install' {
-        linux /isolinux/x86_64/vmlinuz quiet noiswmd
+        linux /isolinux/x86_64/vmlinuz audit=0 quiet noiswmd
         initrd /isolinux/x86_64/all.rdz
 }

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.