You are not logged in.

#1 2019-07-17 07:03:12

ia4fuFPc37
Member
Registered: 2019-07-17
Posts: 9

audit messages in dmesg?

I just noticed that I'm getting a bunch of audit messages in dmesg, eg:

[    0.800695] audit: initializing netlink subsys (disabled)
[    0.800695] audit: type=2000 audit(1563346040.539:1): state=initialized audit_enabled=0 res=1
[    3.962130] audit: type=1130 audit(1563346044.053:2): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    4.111783] audit: type=1130 audit(1563346044.203:3): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-udevd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[    4.234827] audit: type=1130 audit(1563346044.326:4): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-journal-flush comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
...
[   12.700182] audit: type=1130 audit(1563346052.793:42): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user-runtime-dir@620 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   12.716468] audit: type=1006 audit(1563346052.809:43): pid=1178 uid=0 old-auid=4294967295 auid=620 tty=(none) old-ses=4294967295 ses=1 res=1
[   12.808662] audit: type=1130 audit(1563346052.899:44): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@620 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
....
[   24.223406] audit: type=1130 audit(1563346064.316:56): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-timedated comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   29.505094] audit: type=1131 audit(1563346069.596:57): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@620 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   29.520540] audit: type=1131 audit(1563346069.613:58): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user-runtime-dir@620 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
....

a) Are these OK?
b) How come I'm getting them now?
c) If they are OK, then how can I stop them from showing?

Thanks

Last edited by ia4fuFPc37 (2019-07-17 07:04:49)

Offline

#2 2019-07-17 08:52:26

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: audit messages in dmesg?

ia4fuFPc37 wrote:

.... a) Are these OK?  ....

They are just audit messages. Even if you have not installed the audit daemon, the kernel audit module still generates the messages

ia4fuFPc37 wrote:

  ... b) How come I'm getting them now? ...

Audit has been enabled. I believe that both the Linux-hardened and the vanilla kernel are, (now,)  compiled with the audit module, which is disabled at boot, (ie audit=0). You have probably set the audit=1 kernel parameter in your boot-loader.

ia4fuFPc37 wrote:

... If they are OK, then how can I stop them from showing?...

Set the audit kernel parameter to audit=0. You don't say which kernel you are using, and anyway, without checking, I am not absolutely certain of the exact configuration used, but you might get away with just deleting  audit=1.  To check, you should find the compressed configuration file for the current Kernel at /proc/config.gz. If you open it into  text editor and search for 'audit', you will find which flags have been set.

Irvine
edited for clarity

Last edited by IrvineHimself (2019-07-17 09:07:37)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#3 2019-07-19 03:21:14

ia4fuFPc37
Member
Registered: 2019-07-17
Posts: 9

Re: audit messages in dmesg?

Thanks for your reply.

I'm using the standard kernel as far as I know. systemtcl reports   Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; vendor preset: disabled), Active: inactive (dead). audit is not in my kernel parameters, but I found it in the config.gz.

Couple of quick follow ups:

1. So everyone gets these messages unless they manually disable them?
2. If these messages are OK, what would it look like if there is a problem?

Thanks again

Offline

#4 2019-07-19 09:31:26

IrvineHimself
Member
From: Scotland
Registered: 2016-08-21
Posts: 275

Re: audit messages in dmesg?

In general, if the kernel is compiled with the audit module, then you can get audit msgs.  This can be useful if, for example, you are using apparmor solely to run the firejail-default profile and have no intention of writing dedicated apparmor profiles.

I had to reboot into my vanilla kernel, (which I try to keep as close to the default settings as possible,) to check the current setup. Looking at your original post, the line with state=initialized audit_enabled=0 says that audit is disabled. In other words, that entire block is basically saying

The audit module is compiled into the kernel, but its disabled sad

If you are getting other msgs apart from the block you posted, then something else is going on and you should get back to me.

With regard to your question about what it would look like if there was a problem: The Audit Framework doesn't really work like that. It's a very arcane subject, (though well worth learning,)  but essentially, at my level, it is a way of monitoring files and processes for malicious activity. It can require a lot of setting up, and fair degree of specialist expertise, but it is often one of the top recommendations when conducting  a security audit, (bad choice of words perhaps, but audit and security audit refer to two different things.)


On the other hand, many people detest it. Not the least because it can seriously spam the other logs. As far as I can figure from the journalctl block you posted, you should be safe from audit spam.

Irvine

Last edited by IrvineHimself (2019-07-19 09:31:54)


Et voilà, elle arrive. La pièce, le sous, peut-être qu'il arrive avec vous!

Offline

#5 2019-07-23 14:52:25

ia4fuFPc37
Member
Registered: 2019-07-17
Posts: 9

Re: audit messages in dmesg?

Thank you for your reply.

It's both reassuring and somewhat concerning. I understand the concept of audit can be equivalent of just logging/tracing/verifying and therefore may be neither good nor bad, but there should be best practice rules/analysis around this. And that's what the default should be.

Oh well. que sera, audit: type=1130

Last edited by ia4fuFPc37 (2019-07-23 14:53:33)

Offline

#6 2020-07-28 12:33:58

chibo
Member
Registered: 2018-04-27
Posts: 87

Re: audit messages in dmesg?

So how fix that? Having type 1131 and 1334

Offline

#7 2020-07-28 13:27:39

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 4,645

Re: audit messages in dmesg?

chibo, the OP has not been on the forum since July 2019. Please do not necrobump.

Closing.


How to post. A sincere effort to use modest and proper language and grammar is a sign of respect toward the community.

Offline

Board footer

Powered by FluxBB