Audit still logging even when stoped
November 10th, 2009 by vickyI had strange problem on one of my CentOS 5.4 servers. I stoped auditd service and disables SElinux, the server, however, was still logging all those annoying things like
Nov 10 18:27:01 server kernel: type=1105 audit(1257874021.909:87975): user pid=27986 uid=0 auid=0 msg=’PAM: session open acct=”root” : exe=”/usr/sbin/crond” (hostname=?, addr=?, terminal=cron res=success)’
Nov 10 18:27:02 server kernel: type=1104 audit(1257874022.828:87976): user pid=27986 uid=0 auid=0 msg=’PAM: setcred acct=”root” : exe=”/usr/sbin/crond” (hostname=?, addr=?, terminal=cron res=success)’
into /var/log/messages log, filling it up with garbage.
After some time spent investigating IĀ fixed it. I edited /etc/audit/audit.rulesĀ and replaced line
-D
with this line
-e 0
After that I started auditd service, stopped it and no more logs in /var/log/messages
Posted in General linux admin | 1 Comment »
March 28th, 2010 at 6:06 am
Audit daemon is tricky and this solution works for me too. Nice site.