Alex, This is a little outside my experience.
One assumes the audit_failure variable has been set in the kernel (kernel/audit.c). Perhaps you can test this. Given you can get a copy of the kernel source you are running, perhaps trace through what's happening. Using the messages before/during/directly after the death of auditd, and what's routing to dmesg, perhaps you can reverse engineer what is happening. Perhaps someone else on the list can explain why, given -f is set to 0, and the kernel has no user space destination for audit, it still prints (via printk()?) Regards On Thu, 2015-08-20 at 13:17 +0300, Alex Beljanski wrote: > We have custom audit-dispatcher for process events. On some servers > when auditd fails, all audit messages writes to kernel. > We don't want to see all this messages in dmesg and set failure flag > to "0". This doesn't help. > > > # cat /etc/audit/auditd.conf > > log_file = /var/log/audit/audit.log > log_format = NOLOG > log_group = root > priority_boost = 4 > flush = none > num_logs = 1 > disp_qos = lossy > dispatcher = /sbin/audit-dispatcher > name_format = none > max_log_file = 1 > max_log_file_action = keep_logs > space_left = 75 > space_left_action = ignore > admin_space_left = 50 > admin_space_left_action = ignore > disk_full_action = ignore > disk_error_action = ignore > enable_krb5 = no > > cat /etc/audit/rules.d/audit.rules > > -D > > -b 8192 > > -f 0 > -e 1 > > -a exit,always -F arch=b32 -S 11 -k exec32 > -a exit,always -F arch=b64 -S 59 -k exec64 > > > > > 2015-08-20 12:39 GMT+03:00 Burn Alting <[email protected]>: > Alex, > > Can you provide a little more detail? > > Perhaps your /etc/audit/auditd.conf, /etc/audit/rules.d/*, > your test > case, the expected outcome and the outcome you actually get. > > Regards > > On Thu, 2015-08-20 at 11:09 +0300, Alex Beljanski wrote: > > Hi! > > > > > > We have problem in CentOS 7 with auditd. > > > > For our servers we set failure flag 0, but kernel write > messages and > > we see them in dmesg. > > > > uname -a > > Linux 3.10.0-229.11.1.el7.x86_64 #1 SMP Thu Aug 6 01:06:18 > UTC 2015 > > x86_64 x86_64 x86_64 GNU/Linux > > > > # rpm -qa | grep audit > > audit-2.4.1-5.el7.x86_64 > > > > > > Why this doesn't work? > > > > > > > > > > > > > -- > > Linux-audit mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
