Hi all,
I recall seeing an rsyslog entry to prevent these messages from filling my messages logs, but it no longer appears to work with f24. Is there a more specific method to disable audit messages?
Sep 26 14:40:56 alex kernel: audit: type=2404 audit(1474915256.442:724): pid=3297 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:c3:77:02:0b:2c:82:43:05:c5:50:ff:e6:99:f1:3f:1a:1d:6a:51:b7:a4:cb:45:55:37:66:95:46:51:9b:80:d2 direction=? spid=3297 suid=0 exe="/usr/sbin/sshd" hostname=? addr=107.155.77.2 terminal=? res=success'
I'm not using selinux, and have enabled rsyslog. They're just not helpful to me.
Thanks, Alex
On Mon, 2016-09-26 at 14:46 -0400, Alex wrote:
Hi all,
I recall seeing an rsyslog entry to prevent these messages from filling my messages logs, but it no longer appears to work with f24. Is there a more specific method to disable audit messages?
Sep 26 14:40:56 alex kernel: audit: type=2404 audit(1474915256.442:724): pid=3297 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:c3:77:02:0b:2c:82:43:05:c5:50:ff:e6:99:f1:3f:1a:1d:6a:51:b7:a4:cb:45:55:37:66:95:46:51:9b:80:d2 direction=? spid=3297 suid=0 exe="/usr/sbin/sshd" hostname=? addr=107.155.77.2 terminal=? res=success'
I'm not using selinux, and have enabled rsyslog. They're just not helpful to me.
Edit /etc/default/grub. Look for the line beginning GRUB_CMDLINE_LINUX. Add "audit=0" to the end of that line. Run:
grub2-mkconfig --output /boot/grub2/grub.cfg
Audit will be turned off when you reboot. To turn it off without rebooting, do:
auditctl -e 0
poc
Hi,
On Mon, Sep 26, 2016 at 2:53 PM, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Mon, 2016-09-26 at 14:46 -0400, Alex wrote:
Hi all,
I recall seeing an rsyslog entry to prevent these messages from filling my messages logs, but it no longer appears to work with f24. Is there a more specific method to disable audit messages?
Sep 26 14:40:56 alex kernel: audit: type=2404 audit(1474915256.442:724): pid=3297 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:c3:77:02:0b:2c:82:43:05:c5:50:ff:e6:99:f1:3f:1a:1d:6a:51:b7:a4:cb:45:55:37:66:95:46:51:9b:80:d2 direction=? spid=3297 suid=0 exe="/usr/sbin/sshd" hostname=? addr=107.155.77.2 terminal=? res=success'
I'm not using selinux, and have enabled rsyslog. They're just not helpful to me.
Edit /etc/default/grub. Look for the line beginning GRUB_CMDLINE_LINUX. Add "audit=0" to the end of that line. Run:
grub2-mkconfig --output /boot/grub2/grub.cfg
Audit will be turned off when you reboot. To turn it off without rebooting, do:
auditctl -e 0
Thanks very much, very helpful. What is the reason this is enabled by default? Don't other people find it obnoxious and unhelpful?
How does this information help the average sysadmin?
On 09/27/2016 02:22 AM, Alex wrote:
Hi,
On Mon, Sep 26, 2016 at 2:53 PM, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Mon, 2016-09-26 at 14:46 -0400, Alex wrote:
Hi all,
I recall seeing an rsyslog entry to prevent these messages from filling my messages logs, but it no longer appears to work with f24. Is there a more specific method to disable audit messages?
Sep 26 14:40:56 alex kernel: audit: type=2404 audit(1474915256.442:724): pid=3297 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:c3:77:02:0b:2c:82:43:05:c5:50:ff:e6:99:f1:3f:1a:1d:6a:51:b7:a4:cb:45:55:37:66:95:46:51:9b:80:d2 direction=? spid=3297 suid=0 exe="/usr/sbin/sshd" hostname=? addr=107.155.77.2 terminal=? res=success'
I'm not using selinux, and have enabled rsyslog. They're just not helpful to me.
Edit /etc/default/grub. Look for the line beginning GRUB_CMDLINE_LINUX. Add "audit=0" to the end of that line. Run:
grub2-mkconfig --output /boot/grub2/grub.cfg
Audit will be turned off when you reboot. To turn it off without rebooting, do:
auditctl -e 0
Thanks very much, very helpful. What is the reason this is enabled by default? Don't other people find it obnoxious and unhelpful?
How does this information help the average sysadmin?
Audit is not just a log. For that reason, it is not dumped to the same files (/var/log/secure, /var/log/messages) as other logs, but into separate file (/var/log/audit/audit.log), when you have auditd running (if you stop that, it is dumped into the messages, which might be confusing).
It keeps track of actions that were performed somewhere on lower level than "average sysadmin" might need. In first place, they are needed for the certifications in some environments. In second place, it is helpful when you seek for more specific actions that were performed in the past.
Your example shows an event, when the server private key was zeroed before exit or before changing to unprivileged process, who should not see the content of the private keys.
Regards,
On Tue, 2016-09-27 at 09:09 +0200, Jakub Jelen wrote:
On 09/27/2016 02:22 AM, Alex wrote:
Hi,
On Mon, Sep 26, 2016 at 2:53 PM, Patrick O'Callaghan pocallaghan@gmail.com wrote:
On Mon, 2016-09-26 at 14:46 -0400, Alex wrote:
Hi all,
I recall seeing an rsyslog entry to prevent these messages from filling my messages logs, but it no longer appears to work with f24. Is there a more specific method to disable audit messages?
Sep 26 14:40:56 alex kernel: audit: type=2404 audit(1474915256.442:724): pid=3297 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:c3:77:02:0b:2c:82:43:05:c5:50:ff:e6:99:f1:3f:1a:1d:6a:51:b7:a4:cb:45:55:37:66:95:46:51:9b:80:d2 direction=? spid=3297 suid=0 exe="/usr/sbin/sshd" hostname=? addr=107.155.77.2 terminal=? res=success'
I'm not using selinux, and have enabled rsyslog. They're just not helpful to me.
Edit /etc/default/grub. Look for the line beginning GRUB_CMDLINE_LINUX. Add "audit=0" to the end of that line. Run:
grub2-mkconfig --output /boot/grub2/grub.cfg
Audit will be turned off when you reboot. To turn it off without rebooting, do:
auditctl -e 0
Thanks very much, very helpful. What is the reason this is enabled by default? Don't other people find it obnoxious and unhelpful?
How does this information help the average sysadmin?
Audit is not just a log. For that reason, it is not dumped to the same files (/var/log/secure, /var/log/messages) as other logs, but into separate file (/var/log/audit/audit.log), when you have auditd running (if you stop that, it is dumped into the messages, which might be confusing).
It keeps track of actions that were performed somewhere on lower level than "average sysadmin" might need. In first place, they are needed for the certifications in some environments. In second place, it is helpful when you seek for more specific actions that were performed in the past.
I don't think anyone is against the idea of auditing per se. The problem with the implementation is that a) audit lines overwhelm everything else in the journal, and b) they are very hard to interpret without a *lot* of background reading, i.e. they are genuinely useless for most people other than professional sysadmins. Having them on by default just means a huge waste of space and a good deal of frustration.
poc
-
Alex -
Jakub Jelen -
Patrick O'Callaghan