My Community Dashboard

Mick Russom
View Full Profile
  • Mick Russom
    Mick Russom started a new discussion, ClearOS 7.1, excessive audit logging.

    ClearOS 7.1, excessive audit logging.

    Other System Topics

    By default ClearOS 7.1 is logging a punishing amount of audit events into the audit log. This shows up in two ways:

    One in audit log:
    audit log is being written to constantly with the following:

    type=USER_CMD msg=audit(1444501641.520:195084): pid=26593 uid=998 auid=4294967295 ses=4294967295 msg='cwd="/usr/clearos/framework/htdocs/app" cmd=2F62696E2F6C73202F7661722F72756E2F6E7470642F6E7470642E706964 terminal=? res=success'
    type=CRED_ACQ msg=audit(1444501641.521:195085): pid=26593 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
    type=USER_START msg=audit(1444501641.521:195086): pid=26593 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
    type=USER_END msg=audit(1444501641.523:195087): pid=26593 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
    type=CRED_DISP msg=audit(1444501641.523:195088): pid=26593 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
    type=USER_CMD msg=audit(1444501641.542:195089): pid=26598 uid=998 auid=4294967295 ses=4294967295 msg='cwd="/usr/clearos/framework/htdocs/app" cmd=2F7362696E2F657468746F6F6C2065746831 terminal=? res=success'

    I would say there are 10-100 of these per second. Is there any way to slow this down? (SSDs will thank you).

    [root@system audit]# while true : ; do ls -al audit.log ; sleep 10 ; done
    -rw------- 1 root root 270687 Oct 10 11:33 audit.log
    -rw------- 1 root root 318669 Oct 10 11:33 audit.log
    -rw------- 1 root root 385566 Oct 10 11:33 audit.log

    These can log 10-100 events per second.

    Also in the messages log file there is a stream of :

    system systemd: Started Session xxxxx of user root. to the tune of thousands per day.

    How can I remove these audit events? is makes finding real problems an issue as there is so much junk to sift through plus the rate at which there are logged will be abusive to an SSD.

    Please help me get these events under control. Thanks.