From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Timothy R. Chavez" Subject: Re: Audit messages on console Date: Fri, 03 Aug 2007 13:54:48 -0500 Message-ID: <1186167288.27344.20.camel@localhost.localdomain> References: <95470FF653FF324C8171194A81299CE01557491A@zrc2hxm2.corp.nortel.com> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l73ItCes009212 for ; Fri, 3 Aug 2007 14:55:12 -0400 Received: from e6.ny.us.ibm.com (e6.ny.us.ibm.com [32.97.182.146]) by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l73ItAne005105 for ; Fri, 3 Aug 2007 14:55:11 -0400 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e6.ny.us.ibm.com (8.13.8/8.13.8) with ESMTP id l73IuMr4032357 for ; Fri, 3 Aug 2007 14:56:22 -0400 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v8.4) with ESMTP id l73It5sV554194 for ; Fri, 3 Aug 2007 14:55:05 -0400 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id l73It4Xi019495 for ; Fri, 3 Aug 2007 14:55:05 -0400 In-Reply-To: <95470FF653FF324C8171194A81299CE01557491A@zrc2hxm2.corp.nortel.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Ameel Kamboh Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 2007-08-03 at 13:26 -0500, Ameel Kamboh wrote: > I notice that if the auditd service is not running, > I see all my audit logs go out on the console, > When I start auditd service they go to the appropriate log file. > Is there a way to turn this off in the kernel? > Hi Ameel, If audit is enabled, but auditd isn't running, the audit records will be delivered to userspace via printk (KERN_NOTICE <5>). So perhaps you'll just need to edit /etc/sysconfig and route kern.5 accordingly? If you do not wish to generate (nor receive) audit records while auditd is stopped, disable audit like so, auditctl -e 0 -tim > Below is my auditd.conf file: > > log_file = /var/log/audit/audit.log > log_format = RAW > priority_boost = 3 > flush = INCREMENTAL > freq = 20 > num_logs = 10 > max_log_file = 50 > max_log_file_action = ROTATE > space_left = 750 > space_left_action = SYSLOG > action_mail_acct = root > admin_space_left = 250 > admin_space_left_action = SYSLOG > disk_full_action = SYSLOG > dispatcher = /usr/sbin/SnareDispatcher /sbin/auditspd > > Ameel Kamboh > SIP Core Network and Security > Phone: 972.685.4922 (esn 445-4922) > Mobile: 978-590-2280 > SIP: akamboh@techtrial.com > email: akamboh@nortel.com