Brian Ross wrote: > I have a client who is still running RHEL3. Over the last 12 months the > auditd process > has become steadily more and more intrusive and causing problems. I have > attempted to > turn it off but whenever I do so, suddenly SSH logins stop working. > > At the moment the only way I have to manage the auditd process is to > regularly delete > the 2+GB of log files it creates every 4 hours. Can anybody tell me how to > turn it > off without affecting other things?
If other services stop running when you turn off auditing, that probably means that those services are configured to audit their activity and to fail if they can't audit. The audit subsystem in RHEL3 was based on the LAuS subsystem and is different from more modern releases. The configuration guide HP posted when we did our common criteria evaluation for RHEL3 is posted here: http://h71028.www7.hp.com/enterprise/downloads/HP-RHEL-EAL3-Configuration-Guide.pdf It describes LAuS, its configuration files and the pam configuration that might be in use. By fiddling with the pam_laus.so configuration in the various /etc/pamd.d/files, you may be able to disable or relax the audit requirement. There are also options that tell the LAuS auditd to reuse audit files rather than consuming more space, so you might want to check those. It sounds like you've got something wrong, either with the system or the audit rules you're using, if you're generating that much audit traffic so if you actually do want to run audit, then you might check the rules and investigate why you're getting so much traffic. Yeah, I'm stating the obvious. :-) -- ljk > > Cheers > > Brian Ross > > Brian Ross > Technical Consultant > > ASG Group Limited > Level 1 / 267 St Georges Tce. > Perth, WA, 6000 > Telephone +61 8 9420 5451 > Mobile +61 0434 181 701 > Facsimile +61 8 9420 5422 > [email protected]<mailto:[email protected]> > http://www.asggroup.com.au/ > > [cid:[email protected]] > Confidentiality Notice: The information contained in this message is strictly > confidential. It is intended only for the use of the individual or entity > named above. If the reader is not the intended recipient, or the authorised > agent thereof, you are hereby notified that any disclosure, use, distribution > or copying of the within information is strictly prohibited. If you have > received this message in error, please notify us immediately by telephone and > delete all copies of the original message. > * PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL > > > > > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
