[solved]audit problem

**LucaREz** · 09-27-2010

Hi, I'm new and I don't know neither how I could have disabled Audit and neither how restart it

can someone helps me?

here the lasts logs:

Code:

type=USER_END msg=audit(1285497675.845:84): user pid=2129 uid=0 auid=500 ses=3 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="selinux" exe="/usr/sbin/sshd" hostname=192.168.1.2 addr=192.168.1.2 terminal=ssh res=success'
type=CRED_DISP msg=audit(1285497675.846:85): user pid=2129 uid=0 auid=500 ses=3 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="selinux" exe="/usr/sbin/sshd" hostname=192.168.1.2 addr=192.168.1.2 terminal=ssh res=success'
type=USER_END msg=audit(1285497720.415:86): user pid=2048 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="selinux" exe="/usr/sbin/sshd" hostname=192.168.1.2 addr=192.168.1.2 terminal=ssh res=success'
type=CRED_DISP msg=audit(1285497720.415:87): user pid=2048 uid=0 auid=500 ses=2 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="selinux" exe="/usr/sbin/sshd" hostname=192.168.1.2 addr=192.168.1.2 terminal=ssh res=success'
type=CRED_DISP msg=audit(1285497725.926:88): user pid=2187 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/4 res=success'
type=USER_END msg=audit(1285497725.926:89): user pid=2187 uid=0 auid=500 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/4 res=success'
type=USER_END msg=audit(1285497726.477:90): user pid=2159 uid=0 auid=500 ses=4 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="selinux" exe="/usr/sbin/sshd" hostname=192.168.1.2 addr=192.168.1.2 terminal=ssh res=success'
type=CRED_DISP msg=audit(1285497726.477:91): user pid=2159 uid=0 auid=500 ses=4 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="selinux" exe="/usr/sbin/sshd" hostname=192.168.1.2 addr=192.168.1.2 terminal=ssh res=success'
type=USER_AUTH msg=audit(1285497739.735:92): user pid=2274 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:unix_chkpwd acct="selinux" exe="/sbin/unix_chkpwd" hostname=? addr=? terminal=? res=success'
type=USER_AVC msg=audit(1285497746.145:93): user pid=1031 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.PolicyKit1.Authority member=EnumerateTemporaryAuthorizations dest=org.freedesktop.PolicyKit1 spid=1449 tpid=1451 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=SYSTEM_RUNLEVEL msg=audit(1285497746.201:94): user pid=2279 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 msg='old-level=5 new-level=0: exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success'
type=SYSTEM_SHUTDOWN msg=audit(1285497746.201:95): user pid=2279 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:consolekit_t:s0-s0:c0.c1023 msg='init: exe="/sbin/shutdown" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1285497746.241:96): avc:  denied  { write } for  pid=1449 comm="polkit-gnome-au" name="orbit-gdm" dev=dm-0 ino=131204 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=dir
type=AVC msg=audit(1285497746.241:97): avc:  denied  { remove_name } for  pid=1449 comm="polkit-gnome-au" name="linc-5a9-0-3a9ff9a9b0123" dev=dm-0 ino=131396 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=dir
type=AVC msg=audit(1285497746.241:98): avc:  denied  { unlink } for  pid=1449 comm="polkit-gnome-au" name="linc-5a9-0-3a9ff9a9b0123" dev=dm-0 ino=131396 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file
type=DAEMON_END msg=audit(1285497748.832:3543): auditd normal halt, sending auid=0 pid=2415 subj=system_u:system_r:initrc_t:s0 res=success

**ved** · 09-27-2010

rum this comand as root user

Code:

[ved@localhost ~]$ rpm -qa | grep -i audit

put output hear

**LucaREz** · 09-27-2010

Code:

[root@fedora32 selinux]# rpm -qa | grep -i audit
audit-2.0.4-3.fc13.i686
audit-libs-2.0.4-3.fc13.i686
audit-libs-python-2.0.4-3.fc13.i686

**Rubberman** · 09-27-2010

As root, try the command: auditd -s enable

**LucaREz** · 09-27-2010

I tryed also /etc/init.d/auditd start and restart but it doesn't actually start

Code:

type=AVC msg=audit(1285497746.241:96): avc:  denied  { write } for  pid=1449 comm="polkit-gnome-au" name="orbit-gdm" dev=dm-0 ino=131204 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=dir
type=AVC msg=audit(1285497746.241:97): avc:  denied  { remove_name } for  pid=1449 comm="polkit-gnome-au" name="linc-5a9-0-3a9ff9a9b0123" dev=dm-0 ino=131396 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=dir
type=AVC msg=audit(1285497746.241:98): avc:  denied  { unlink } for  pid=1449 comm="polkit-gnome-au" name="linc-5a9-0-3a9ff9a9b0123" dev=dm-0 ino=131396 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file
type=DAEMON_END msg=audit(1285497748.832:3543): auditd normal halt, sending auid=0 pid=2415 subj=system_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1285598545.190:1877): auditd start, ver=2.0.4 format=raw kernel=2.6.33.3-85.fc13.i686 auid=500 pid=3572 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success
type=CONFIG_CHANGE msg=audit(1285599513.068:103): audit_backlog_limit=320 old=64 auid=500 ses=7 subj=unconfined_u:system_r:auditctl_t:s0 res=1
type=DAEMON_END msg=audit(1285599523.193:1878): auditd normal halt, sending auid=500 pid=3596 subj=unconfined_u:system_r:initrc_t:s0 res=success
type=DAEMON_START msg=audit(1285599523.319:6945): auditd start, ver=2.0.4 format=raw kernel=2.6.33.3-85.fc13.i686 auid=500 pid=3615 subj=unconfined_u:system_r:auditd_t:s0 res=success
type=CONFIG_CHANGE msg=audit(1285599523.423:106): audit_enabled=1 old=1 auid=500 ses=7 subj=unconfined_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1285599523.426:107): audit_backlog_limit=320 old=320 auid=500 ses=7 subj=unconfined_u:system_r:auditctl_t:s0 res=1

it only adds that rows but it doesn't report any permission calls

**ved** · 09-27-2010

if you have no requirement of audit then remove this use comand as root

Code:

root@fedora32 selinux]# rpm -e audit-2.0.4-3.fc13.i686

**LucaREz** · 09-27-2010

I need audit to see the access request in logs.

**ved** · 09-27-2010

i think it help you read this

HTML Code:

http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

**LucaREz** · 09-27-2010

thanks, but until now I used
tail -f /var/log/audit/audit.log
and it always works, why did it stop now?
I need it to configure SELinux

**LucaREz** · 09-27-2010

solved, don't know why, but after
setenforce 1
setenforce 0
it started again as usual

thank you guys

Thread Tools

Display

[solved]audit problem

Posting Permissions