JFL
24 March 2021 06:08
1
Getting a lot of Audit messages in dmesg. What is it for and should I disable and how to disable Audit in Manjaro-Arm?
[ 51.368732] audit: type=1130 audit(1616564157.496:88): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=bootsplash-hide-when-booted comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 51.368804] audit: type=1131 audit(1616564157.496:89): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=bootsplash-hide-when-booted comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 52.444425] audit: type=1334 audit(1616564158.561:90): prog-id=17 op=LOAD
[ 52.444542] audit: type=1334 audit(1616564158.561:91): prog-id=18 op=LOAD
[ 53.628673] audit: type=1130 audit(1616564159.746:92): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=upower comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 55.038192] audit: type=1130 audit(1616564161.152:93): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=udisks2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 63.927510] audit: type=1130 audit(1616564170.026:94): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=blueman-mechanism comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 68.404292] audit: type=1130 audit(1616564174.503:95): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=updatedb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 68.404313] audit: type=1131 audit(1616564174.503:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=updatedb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 95.015709] audit: type=1131 audit(1616564201.110:97): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=blueman-mechanism comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[ 126.353453] audit: type=1100 audit(1616564232.448:98): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="jfl" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[ 126.356663] audit: type=1101 audit(1616564232.448:99): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="jfl" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[ 126.359708] audit: type=1110 audit(1616564232.458:100): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[ 126.368561] audit: type=1105 audit(1616564232.468:101): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[ 131.303608] audit: type=1106 audit(1616564237.398:102): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[ 131.304398] audit: type=1104 audit(1616564237.398:103): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
Dulbi
24 March 2021 09:28
2
1 Like
JFL
24 March 2021 09:53
3
Thanks will try out some of the suggestions listed.
Edit: Tried the suggested commands but did not stop the “audit messages”
[jfl@MNJROGTKPro ~]$ sudo auditctl -e 0
[sudo] password for jfl:
enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 64
lost 0
backlog 6
backlog_wait_time 6000
backlog_wait_time_actual 0
[jfl@MNJROGTKPro ~]$ sudo auditctl -D
No rules
[jfl@MNJROGTKPro ~]$ sudo systemctl disable auditd --now
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
[jfl@MNJROGTKPro ~]$
Did you inserted audit=0 inside /etc/default/grub followed by sudo update-grub and a reboot? I’ve done it and I no longer see these entries in dmesg nor in journal.
JFL
24 March 2021 15:41
5
Thanks for the guidance. I am on Manjaro-Arm-XFCE and the file /etc/default/grup don’t seems to exist.
[jfl@MNJROGTKPro ~]$ systemctl status auditd.service
â—Ź auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; vendor p>
Active: inactive (dead)
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
lines 1-5/5 (END)
The /usr/lib/systemd/system/auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
## If auditd is sending or recieving remote logging, copy this file to
## /etc/systemd/system/auditd.service and comment out the first After and
## uncomment the second so that network-online.target is part of After.
## then comment the first Before and uncomment the second Before to remove
## sysinit.target from "Before".
After=local-fs.target systemd-tmpfiles-setup.service
##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target
##Before=shutdown.target
Conflicts=shutdown.target
RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
Well, you did not mention what hardware you are using. Find the boot file that has the kernel command. Edit the file and add audit=0 to the line.
If you are using a raspberry pi… the file is /boot/cmdline.txt
JFL
24 March 2021 15:55
7
Oops, i am using Beelink GT King Pro (SOC: s922X) Manjaro-Arm-XFCE-VIM3-linux-vim 5.11.7-1. The boot uses u-boot.ext and extlinux.conf. Sorry do not have /boot/cmdline.txt either.
The closes I suppose is extlinux.conf
LABEL Manjaro
LINUX /Image
INITRD /initramfs-linux.img
FDT /dtbs/amlogic/meson-g12b-gtking-pro.dtb
APPEND root=LABEL=ROOT_MNJRO rootflags=data=writeback rw console=ttyAML0,115200n8 console=tty0 no_console_suspend consoleblank=0 fsck.fix=yes fsck.repair=yes net.ifnames=0 bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash
In the /usr/lib/systemd/system/auditd.service file, I notice thisConditionKernelCommandLine=!audit=0
From the looks of it, I would suggest adding audit=0 to the end of the APPEND line and reboot.
1 Like
JFL
24 March 2021 16:31
10
D.Dave:
Is grub, not grup.
Oops, typo. No /etc/default/grub does not exist on my built. May be it is other folders but so far could not locate it.
Strit
24 March 2021 16:34
11
No, it’s correct. We don’t use Grub in ARM.
JFL
24 March 2021 16:39
12
What will be the best solution to reduce or disable the audit messages. There a lot of these audit messages on dmesg.
Strit
24 March 2021 16:41
13
Add audit=0 to the APPEND line in /boot/extlinux/extlinux.conf and reboot.
That should make them go away.
JFL
24 March 2021 17:12
14
Thanks @D.Dave , @Dulbi , @0n0w1c and @Strit for your guidance.
append audit=0 on extlinux.conf works. No more Audit messages in dmesg. Hope it does not create other issue.
system
8 April 2021 17:13
15
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.