Bug#773528: Fwd: Re: [systemd-devel] Quiesce audit message flood from 218
Martin Pitt
mpitt at debian.org
Mon Dec 29 13:26:18 GMT 2014
For the record, this is the response and kernel bug link from
upstream. I propose we keep the "don't enable audit" patch in Debian
until we get the kernel fix.
Martin
----- Forwarded message from Lennart Poettering <lennart at poettering.net> -----
Date: Mon, 29 Dec 2014 14:22:46 +0100
From: Lennart Poettering <lennart at poettering.net>
To: systemd-devel at lists.freedesktop.org
Subject: Re: [systemd-devel] Quiesce audit message flood from 218
X-Spam-Status: No, score=-1.9 required=3.4 tests=BAYES_00 autolearn=no version=3.3.2
On Sun, 28.12.14 12:45, Martin Pitt (martin.pitt at ubuntu.com) wrote:
> Hello all,
>
> systemd 218 now enables audit in the kernel unconditionally [1]. While
> these messages might be nice to have in the journal, they literally
> flood dmesg and thus /var/log/syslog and friends with messages like
>
> [39098.129349] audit: type=1105 audit(1419765421.403:4233): pid=25633 uid=0 auid=0 ses=20 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
>
> $ dmesg |grep -c audit
> 786
>
> and more importantly, eats a lot of real kernel/daemon messages due to
> rate limiting: I have many dozen messages like
>
> [37444.978307] audit_printk_skb: 222 callbacks suppressed
>
> and they demonstrably cause e. g. AppArmor violations to not get shown
> due to this.
>
> Is there a way to make the audit messages *only* go to the journal,
> but not to dmesg and sysloggers? If not, could we perhaps add a
> ./configure or config file option for this, to disable audit on
> systems where we don't need it?
This is a known limitation of the in-kernel audit code, and is being
tracked here. Needs to be fixed in the kernel.
https://bugzilla.redhat.com/show_bug.cgi?id=1160046
Fix should be easy enough, but so far nobody looked into this yet.
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel at lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
----- End forwarded message -----
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
More information about the Pkg-systemd-maintainers
mailing list