Steve Grubb wrote:
On Tuesday 10 January 2006 14:31, Lisa Giacchetti wrote:
>So I installed 1.0.3-6 which did have auditd chkconfig'd off by default.
>Add I rebooted. It did not work. Well I should say that auditd is not
>running but the messages are still there.
OK, your kernel does not have the patch, then. There's 3 options. You can try
for a newer kernel, or patch the one you are using, or use auditd to eat up
the messages but live with the error on boot. You will pay a performance
penalty for enabling the audit system. I can dig up the kernel patch if you
want to patch your kernel.
Yes I think this would be good. At some point we may want/need to have
auditing on so having it installed correctly is a good path to follow.
>>Using 1.0.3 might be the best solution if you have a kernel without the
>>patch to stop user space originating messages. Just set the log size low
>>and tell it to suspend logging when the file gets too big.
>>
>>flush = INCREMENTAL
>>freq = 50
>>num_logs = 2
>>max_log_file = 1
>>max_log_file_action = SUSPEND
>
>Won't I still have the problem of the error on start up?
Yes, but its harmless - your kernel doesn't support file system auditing.
>Its like the -D option on line 5 is not a recognized option.
It is recognized, the error message is somewhat misleading (I think it was
updated in later versions). It is saying that it tried to get the list of
files being watched and the kernel didn't understand.
Good. I am comfortable with this.
>I really don't care about the error as long as I know that
>things are configured to not really start auditing.
Well, auditing comes in 2 layers. If auditing is enabled, all the syscalls
will pass through the audit system system for inspection. There is a
performance penalty for this. The other layer is when you have rules loaded
that may trigger events. This will result in kernel audit messages.
Ok. I will keep this in mind if we decide turn auditd on before we
have the kernel patch. Some of these systems are already heavily
loaded and it might not be a good idea to do.
Thanks again for all your help!!
Lisa
-Steve
--
Lisa Giacchetti
Fermilab Computing Division
USCMS Tier1 Facility Support
lisa at fnal dot gov | 1-630-840-8023