Find the answer to your Linux question:
Results 1 to 6 of 6
Hello, I've watched that when auditd is killed, every log message is then copied to the console tty. Is it normal and is it any way to change this behaviour ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    [auditd] when killed then kauditd logs to the console tty (?)


    Hello,

    I've watched that when auditd is killed, every log message is then copied to the console tty. Is it normal and is it any way to change this behaviour ?

    It is also a way to force auditd is already running like any special inittab trick ?


    Regards

    FP.

  2. #2
    Linux Engineer Segfault's Avatar
    Join Date
    Jun 2008
    Location
    Acadiana
    Posts
    877
    You can use inittab, yes. I'd use svscan.

  3. #3
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    Thank you.

    Can somebody confirm me

    1)that it happens to auditd to crash sometimes
    2) kauditd when without auditd logs to /proc/kmsg using the "emergency" priority ?

    I've got a case when auditd seems to have crashed because all the logs comes to the console tty but i don't know to find out what happened exactly to auditd.

    Regards

  4. #4
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    Quote Originally Posted by flatplane View Post
    that it happens to auditd to crash sometimes
    What distribution? Distribution release? What kernel version? What Auditd version? When did this behaviour start? When you installed your distribution? When you (re-)configured something?


    Quote Originally Posted by flatplane View Post
    kauditd when without auditd logs to /proc/kmsg using the "emergency" priority ?
    AFAIK that's not a default. Please share your settings: '(grep -v ^# /etc/audisp/audispd.conf /etc/audit/auditd.conf /etc/rsyslog.conf)|grep .;'.

  5. #5
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    I meaned kauditd without any auditd or audispd running. This is a case where someone would intentionnaly killed auditd. then only kauditd is logging. By default, it seems to log to kernel.emerg (at least it can be compared to a facility).

    I found a work-around.

    kernel.printk=4 4 1 7 in /etc/sysctl.conf

    that prevents to log to the console port.

    Regards

  6. #6
    Just Joined!
    Join Date
    Aug 2009
    Posts
    83
    As far as I know kauditd is part of the kernel and it doesn't do any "logging" on its own, on a host running auditd and syslogd audispd is started as a child of auditd, with audispd running, killing auditd should result in audispd.conf overflow_action directive rerouting messages which by default is syslog, killing both audispd and auditd should by default reroute messages to syslog. And the console messages could possibly be solved with 'dmesg -n' as well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •