Many Audit Messages in dmesg - How to disable Audit?

Getting a lot of Audit messages in dmesg. What is it for and should I disable and how to disable Audit in Manjaro-Arm?

[   51.368732] audit: type=1130 audit(1616564157.496:88): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=bootsplash-hide-when-booted comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   51.368804] audit: type=1131 audit(1616564157.496:89): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=bootsplash-hide-when-booted comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   52.444425] audit: type=1334 audit(1616564158.561:90): prog-id=17 op=LOAD
[   52.444542] audit: type=1334 audit(1616564158.561:91): prog-id=18 op=LOAD
[   53.628673] audit: type=1130 audit(1616564159.746:92): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=upower comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   55.038192] audit: type=1130 audit(1616564161.152:93): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=udisks2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   63.927510] audit: type=1130 audit(1616564170.026:94): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=blueman-mechanism comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   68.404292] audit: type=1130 audit(1616564174.503:95): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=updatedb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   68.404313] audit: type=1131 audit(1616564174.503:96): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=updatedb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   95.015709] audit: type=1131 audit(1616564201.110:97): pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=blueman-mechanism comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  126.353453] audit: type=1100 audit(1616564232.448:98): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="jfl" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[  126.356663] audit: type=1101 audit(1616564232.448:99): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:accounting grantors=pam_unix,pam_permit,pam_time acct="jfl" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[  126.359708] audit: type=1110 audit(1616564232.458:100): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[  126.368561] audit: type=1105 audit(1616564232.468:101): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[  131.303608] audit: type=1106 audit(1616564237.398:102): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
[  131.304398] audit: type=1104 audit(1616564237.398:103): pid=10416 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

Maybe you could find some answer here : linux - How to disable useless "audit success" log entries in dmesg - Unix & Linux Stack Exchange

1 Like

Thanks will try out some of the suggestions listed.

Edit: Tried the suggested commands but did not stop the “audit messages”

[jfl@MNJROGTKPro ~]$ sudo auditctl -e 0
[sudo] password for jfl: 
enabled 0
failure 1
pid 0
rate_limit 0
backlog_limit 64
lost 0
backlog 6
backlog_wait_time 6000
backlog_wait_time_actual 0
[jfl@MNJROGTKPro ~]$ sudo auditctl -D
No rules
[jfl@MNJROGTKPro ~]$ sudo systemctl disable auditd --now
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
[jfl@MNJROGTKPro ~]$

Did you inserted audit=0 inside /etc/default/grub followed by sudo update-grub and a reboot? I’ve done it and I no longer see these entries in dmesg nor in journal.

Thanks for the guidance. I am on Manjaro-Arm-XFCE and the file /etc/default/grup don’t seems to exist.

[jfl@MNJROGTKPro ~]$ systemctl status auditd.service
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; vendor p>
     Active: inactive (dead)
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
lines 1-5/5 (END)

The /usr/lib/systemd/system/auditd.service

[Unit]
Description=Security Auditing Service
DefaultDependencies=no
## If auditd is sending or recieving remote logging, copy this file to
## /etc/systemd/system/auditd.service and comment out the first After and
## uncomment the second so that network-online.target is part of After.
## then comment the first Before and uncomment the second Before to remove
## sysinit.target from "Before".
After=local-fs.target systemd-tmpfiles-setup.service
##After=network-online.target local-fs.target systemd-tmpfiles-setup.service
Before=sysinit.target shutdown.target
##Before=shutdown.target
Conflicts=shutdown.target
RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation

Well, you did not mention what hardware you are using. Find the boot file that has the kernel command. Edit the file and add audit=0 to the line.

If you are using a raspberry pi… the file is /boot/cmdline.txt

Oops, i am using Beelink GT King Pro (SOC: s922X) Manjaro-Arm-XFCE-VIM3-linux-vim 5.11.7-1. The boot uses u-boot.ext and extlinux.conf. Sorry do not have /boot/cmdline.txt either.

The closes I suppose is extlinux.conf

LABEL Manjaro
LINUX /Image
INITRD /initramfs-linux.img
FDT /dtbs/amlogic/meson-g12b-gtking-pro.dtb
APPEND root=LABEL=ROOT_MNJRO rootflags=data=writeback rw console=ttyAML0,115200n8 console=tty0 no_console_suspend consoleblank=0 fsck.fix=yes fsck.repair=yes net.ifnames=0 bootsplash.bootfile=bootsplash-themes/manjaro/bootsplash

In the /usr/lib/systemd/system/auditd.service file, I notice this
ConditionKernelCommandLine=!audit=0

From the looks of it, I would suggest adding audit=0 to the end of the APPEND line and reboot.

1 Like

Is grub, not grup.

Oops, typo. No /etc/default/grub does not exist on my built. May be it is other folders but so far could not locate it.

No, it’s correct. We don’t use Grub in ARM.

What will be the best solution to reduce or disable the audit messages. There a lot of these audit messages on dmesg.

Add audit=0 to the APPEND line in /boot/extlinux/extlinux.conf and reboot.

That should make them go away.

Thanks @D.Dave, @Dulbi, @0n0w1c and @Strit for your guidance.

append audit=0 on extlinux.conf works. No more Audit messages in dmesg. Hope it does not create other issue.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.