On Tuesday 10 January 2006 14:31, Lisa Giacchetti wrote:
So I installed 1.0.3-6 which did have auditd chkconfig'd off by
default.
Add I rebooted. It did not work. Well I should say that auditd is not
running but the messages are still there.
OK, your kernel does not have the patch, then. There's 3 options. You can try
for a newer kernel, or patch the one you are using, or use auditd to eat up
the messages but live with the error on boot. You will pay a performance
penalty for enabling the audit system. I can dig up the kernel patch if you
want to patch your kernel.
> Using 1.0.3 might be the best solution if you have a kernel
without the
> patch to stop user space originating messages. Just set the log size low
> and tell it to suspend logging when the file gets too big.
>
> flush = INCREMENTAL
> freq = 50
> num_logs = 2
> max_log_file = 1
> max_log_file_action = SUSPEND
Won't I still have the problem of the error on start up?
Yes, but its harmless - your kernel doesn't support file system auditing.
Its like the -D option on line 5 is not a recognized option.
It is recognized, the error message is somewhat misleading (I think it was
updated in later versions). It is saying that it tried to get the list of
files being watched and the kernel didn't understand.
I really don't care about the error as long as I know that
things are configured to not really start auditing.
Well, auditing comes in 2 layers. If auditing is enabled, all the syscalls
will pass through the audit system system for inspection. There is a
performance penalty for this. The other layer is when you have rules loaded
that may trigger events. This will result in kernel audit messages.
-Steve