Re: I'd like to turn auditd off but...
Brian Ross wrote:
I have a client who is still running RHEL3. Over the last 12 months
the auditd process
has become steadily more and more intrusive and causing problems. I have attempted to
turn it off but whenever I do so, suddenly SSH logins stop working.
At the moment the only way I have to manage the auditd process is to regularly delete
the 2+GB of log files it creates every 4 hours. Can anybody tell me how to turn it
off without affecting other things?
If other services stop running when you turn off auditing, that probably means
that those services are configured to audit their activity and to fail if
they can't audit.
The audit subsystem in RHEL3 was based on the LAuS subsystem and is different
from more modern releases. The configuration guide HP posted when we did our
common criteria evaluation for RHEL3 is posted here:
http://h71028.www7.hp.com/enterprise/downloads/HP-RHEL-EAL3-Configuration...
It describes LAuS, its configuration files and the pam configuration that
might be in use. By fiddling with the pam_laus.so configuration in the
various /etc/pamd.d/files, you may be able to disable or relax the audit
requirement.
There are also options that tell the LAuS auditd to reuse audit files rather than
consuming more space, so you might want to check those.
It sounds like you've got something wrong, either with the system or the audit
rules you're using, if you're generating that much audit traffic so if you
actually
do want to run audit, then you might check the rules and investigate why you're
getting so much traffic. Yeah, I'm stating the obvious. :-)
-- ljk
Cheers
Brian Ross
Brian Ross
Technical Consultant
ASG Group Limited
Level 1 / 267 St Georges Tce.
Perth, WA, 6000
Telephone +61 8 9420 5451
Mobile +61 0434 181 701
Facsimile +61 8 9420 5422
Brian.Ross@asggroup.com.au<mailto:DooWhan.Kweon@asggroup.com.au>
http://www.asggroup.com.au/
[cid:image001.gif@01CBB23E.C8A47A50]
Confidentiality Notice: The information contained in this message is strictly
confidential. It is intended only for the use of the individual or entity named above. If
the reader is not the intended recipient, or the authorised agent thereof, you are hereby
notified that any disclosure, use, distribution or copying of the within information is
strictly prohibited. If you have received this message in error, please notify us
immediately by telephone and delete all copies of the original message.
* PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL
------------------------------------------------------------------------
------------------------------------------------------------------------
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit