I'd like to turn auditd off but...

I'd like to turn auditd off but...

[Brian Ross]

[-- Attachment #1.1: Type: text/plain, Size: 1412 bytes --]

I have a client who is still running RHEL3.  Over the last 12 months the auditd process has become steadily more and more intrusive and causing problems.   I have attempted to turn it off but whenever I do so, suddenly SSH logins stop working.

At the moment the only way I have to manage the auditd process is to regularly delete the 2+GB of log files it creates every 4 hours.   Can anybody tell me how to turn it off without affecting other things?

Cheers

Brian Ross

Brian Ross
Technical Consultant

ASG Group Limited
Level 1 / 267 St Georges Tce.
Perth, WA, 6000
Telephone            +61 8 9420 5451
Mobile                   +61 0434 181 701
Facsimile              +61 8 9420 5422
Brian.Ross@asggroup.com.au<mailto:DooWhan.Kweon@asggroup.com.au>
http://www.asggroup.com.au/

 [cid:image001.gif@01CBB23E.C8A47A50]
Confidentiality Notice: The information contained in this message is strictly confidential. It is intended only for the use of the individual or entity named above. If the reader is not the intended recipient, or the authorised agent thereof, you are hereby notified that any disclosure, use, distribution or copying of the within information is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete all copies of the original message.
* PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL




[-- Attachment #1.2: Type: text/html, Size: 3571 bytes --]

[-- Attachment #2: Picture (Device Independent Bitmap) 1.jpg --]
[-- Type: image/jpeg, Size: 3813 bytes --]

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: I'd like to turn auditd off but...

[Stephen John Smoogen]

[-- Attachment #1.1: Type: text/plain, Size: 1179 bytes --]

On 21 November 2011 18:04, Brian Ross <Brian.Ross@asggroup.com.au> wrote:

>  I have a client who is still running RHEL3.  Over the last 12 months the
> auditd process has become steadily more and more intrusive and causing
> problems.   I have attempted to turn it off but whenever I do so, suddenly
> SSH logins stop working.
>
> At the moment the only way I have to manage the auditd process is to
> regularly delete the 2+GB of log files it creates every 4 hours.   Can
> anybody tell me how to turn it off without affecting other things?
>
>

I would say that your user has other problems that need to be addressed
before you can turn off audit.

1) Audit doesn't have anything to do with sshd that I can remember in
RHEL-3. So if one is turning off the other.. then I would start looking at
compromised system.
2) 2GB every 4 hours means there is something really wrong. Again I would
say its either compromised system or hardware issue.

-- 
Stephen J Smoogen.
"The core skill of innovators is error recovery, not failure avoidance."
Randy Nelson, President of Pixar University.
"Let us be kind, one to another, for most of us are fighting a hard
battle." -- Ian MacLaren

[-- Attachment #1.2: Type: text/html, Size: 1729 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: I'd like to turn auditd off but...

[Linda Knippers]

Brian Ross wrote:
> I have a client who is still running RHEL3.  Over the last 12 months the auditd process 
> has become steadily more and more intrusive and causing problems.   I have attempted to 
> turn it off but whenever I do so, suddenly SSH logins stop working.
> 
> At the moment the only way I have to manage the auditd process is to regularly delete 
> the 2+GB of log files it creates every 4 hours.   Can anybody tell me how to turn it 
> off without affecting other things?

If other services stop running when you turn off auditing, that probably means
that those services are configured to audit their activity and to fail if
they can't audit.

The audit subsystem in RHEL3 was based on the LAuS subsystem and is different
from more modern releases.  The configuration guide HP posted when we did our
common criteria evaluation for RHEL3 is posted here:
http://h71028.www7.hp.com/enterprise/downloads/HP-RHEL-EAL3-Configuration-Guide.pdf
It describes LAuS, its configuration files and the pam configuration that
might be in use.  By fiddling with the pam_laus.so configuration in the
various /etc/pamd.d/files, you may be able to disable or relax the audit
requirement.

There are also options that tell the LAuS auditd to reuse audit files rather than
consuming more space, so you might want to check those.

It sounds like you've got something wrong, either with the system or the audit
rules you're using, if you're generating that much audit traffic so if you actually
do want to run audit, then you might check the rules and investigate why you're
getting so much traffic.  Yeah, I'm stating the obvious. :-)

-- ljk
> 
> Cheers
> 
> Brian Ross
> 
> Brian Ross
> Technical Consultant
> 
> ASG Group Limited
> Level 1 / 267 St Georges Tce.
> Perth, WA, 6000
> Telephone            +61 8 9420 5451
> Mobile                   +61 0434 181 701
> Facsimile              +61 8 9420 5422
> Brian.Ross@asggroup.com.au<mailto:DooWhan.Kweon@asggroup.com.au>
> http://www.asggroup.com.au/
> 
>  [cid:image001.gif@01CBB23E.C8A47A50]
> Confidentiality Notice: The information contained in this message is strictly confidential. It is intended only for the use of the individual or entity named above. If the reader is not the intended recipient, or the authorised agent thereof, you are hereby notified that any disclosure, use, distribution or copying of the within information is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete all copies of the original message.
> * PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit