Find the answer to your Linux question:
Results 1 to 6 of 6
Hello, I've watched that when auditd is killed, every log message is then copied to the console tty. Is it normal and is it any way to change this behaviour ...
  1. 09-27-2010 #1
    flatplane
    flatplane is offline
    Just Joined!
    Join Date
    May 2010
    Posts
    9

    [auditd] when killed then kauditd logs to the console tty (?)

    Hello,

    I've watched that when auditd is killed, every log message is then copied to the console tty. Is it normal and is it any way to change this behaviour ?

    It is also a way to force auditd is already running like any special inittab trick ?


    Regards

    FP.
    Reply With Quote Reply With Quote
  2. 09-27-2010 #2
    Segfault
    Segfault is offline
    Linux Engineer Segfault's Avatar
    Join Date
    Jun 2008
    Location
    Acadiana
    Posts
    855
    You can use inittab, yes. I'd use svscan.
    How To Ask Questions The Smart Way
    Reply With Quote Reply With Quote
  3. 09-27-2010 #3
    flatplane
    flatplane is offline
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    Thank you.

    Can somebody confirm me

    1)that it happens to auditd to crash sometimes
    2) kauditd when without auditd logs to /proc/kmsg using the "emergency" priority ?

    I've got a case when auditd seems to have crashed because all the logs comes to the console tty but i don't know to find out what happened exactly to auditd.

    Regards
    Reply With Quote Reply With Quote
  4. 09-27-2010 #4
    unspawn
    unspawn is offline
    Just Joined!
    Join Date
    Aug 2009
    Posts
    73
    Quote Originally Posted by flatplane View Post
    that it happens to auditd to crash sometimes
    What distribution? Distribution release? What kernel version? What Auditd version? When did this behaviour start? When you installed your distribution? When you (re-)configured something?


    Quote Originally Posted by flatplane View Post
    kauditd when without auditd logs to /proc/kmsg using the "emergency" priority ?
    AFAIK that's not a default. Please share your settings: '(grep -v ^# /etc/audisp/audispd.conf /etc/audit/auditd.conf /etc/rsyslog.conf)|grep .;'.
    Reply With Quote Reply With Quote
  5. 09-27-2010 #5
    flatplane
    flatplane is offline
    Just Joined!
    Join Date
    May 2010
    Posts
    9
    I meaned kauditd without any auditd or audispd running. This is a case where someone would intentionnaly killed auditd. then only kauditd is logging. By default, it seems to log to kernel.emerg (at least it can be compared to a facility).

    I found a work-around.

    kernel.printk=4 4 1 7 in /etc/sysctl.conf

    that prevents to log to the console port.

    Regards
    Reply With Quote Reply With Quote
  6. 09-28-2010 #6
    unspawn
    unspawn is offline
    Just Joined!
    Join Date
    Aug 2009
    Posts
    73
    As far as I know kauditd is part of the kernel and it doesn't do any "logging" on its own, on a host running auditd and syslogd audispd is started as a child of auditd, with audispd running, killing auditd should result in audispd.conf overflow_action directive rerouting messages which by default is syslog, killing both audispd and auditd should by default reroute messages to syslog. And the console messages could possibly be solved with 'dmesg -n' as well.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...