On Tuesday 10 January 2006 13:48, Lisa Giacchetti wrote:
Technically I do not need file system auditing. My primary goal
is
to get rid of the thouands of messages in /var/log/messages of the
type:
The patches that we sent upstream did not go in a terribly organized way.
There was a patch specifically to stop user space originating audit messages
when the audit system was disabled. I think you may need 2.6.14 to have that
patch.
In any event, the audit daemon enables auditing on startup. So, just doing
"chkconfig --levels auditd 2345 off" should do it. The RHEL4 audit package
shipped with the audit daemon disabled, so it got enabled somehow.
The system is based on RHEL4. It comes with audit-0.5-1 and
audit-libs-1.0.3-6.EL4 installed.
0.5 was an empty package.
I have found that upgrading to the newer version, audit-1.0.3-6.EL4,
moves the audit messages above to /var/log/audit/audit.log.
Even with the error at start, this is accomplished.
Using 1.0.3 might be the best solution if you have a kernel without the patch
to stop user space originating messages. Just set the log size low and tell
it to suspend logging when the file gets too big.
flush = INCREMENTAL
freq = 50
num_logs = 2
max_log_file = 1
max_log_file_action = SUSPEND
-Steve