Lots of audit messages polluting my logs

All questions related to servers
Post Reply
mister_v
Posts: 188
Joined: Thu Mar 04, 2010 9:19 pm

Lots of audit messages polluting my logs

Post by mister_v »

Hi,

I have tons of audit denied messages in my logs and dmesg:

Code: Select all

[  528.090461] audit: type=1400 audit(1478343185.933:743): avc:  denied  { create } for  pid=2785 comm="auditd" name="auditd" scontext=user_u:user_r:user_t tcontext=user_u:object_r:initrc_state_t tclass=lnk_file permissive=1
[  528.091293] audit: type=1400 audit(1478343185.934:744): avc:  denied  { getattr } for  pid=2128 comm="syslog-ng" path="/var/log/messages" dev="sda4" ino=9962284 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
[  528.091314] audit: type=1400 audit(1478343185.934:745): avc:  denied  { append } for  pid=2128 comm="syslog-ng" name="messages" dev="sda4" ino=9962284 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
[  528.091324] audit: type=1400 audit(1478343185.934:746): avc:  denied  { open } for  pid=2128 comm="syslog-ng" path="/var/log/messages" dev="sda4" ino=9962284 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1
[  528.091345] audit: type=1400 audit(1478343185.934:747): avc:  denied  { setattr } for  pid=2128 comm="syslog-ng" name="messages" dev="sda4" ino=9962284 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1

What are they and how do I get rid of them?

This is a gentoo Linux server
4.4.6-gentoo
chris
Site Admin
Posts: 194
Joined: Mon Jul 21, 2008 9:52 am

Re: Lots of audit messages polluting my logs

Post by chris »

It look like you have hardening on your system.
but the audit service is not running
Check it with the following command (as root)

Code: Select all

/etc/init.d/auditd status
If not start it

Code: Select all

/etc/init.d/auditd start
It will direct the messages to the proper log:
/var/log/audit/audit.log

It will not solve any of the problems, if any, listed in the logs.
It just put it in their own log,
so dmesg and other logs are not polluted anymore.
Post Reply