1

OS: CentOS 7

I am trying to figure out how audit (kaudit) events are logged in /var/log/messages.

I have enabled audit=1 in grub which means when the server boots, kernel auditing is enabled. This is the desired state for the particular system and disabling audit is out of the equation. My audit configuration is as follows

  #  auditctl -s
enabled 1
failure 1
pid 0
rate_limit 0
backlog_limit 64
lost 7452643
backlog 0
loginuid_immutable 0 unlocked

Auditd on the other side is disabled/stopped because I am using another tool to collect/consume those events generated by kernel audit.

My problem is that I noticed those audit events are logged in /var/log/messages:

2021-11-25T00:35:09.490607-08:00 myserver.local kernel: [4272426.343673] audit: type=1110 audit(1637829309.455:7426414): pid=2361 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success

I am trying to figure out how these messages end up in /var/log/messages and the only thing I am sure is that syslog will do this.

Actually, I am trying to trace how the audit events end up in rsyslog and so far I had no luck. I have an assumption that journald is fetching those audit events which in turn forwards them to rsyslog however, I am not able to clarify this.

Journald can establish a netlink socket with the kernel to get audit events, however I don't see such socket present in systemd.

 #  systemctl list-units --type=socket
UNIT                         LOAD   ACTIVE SUB       DESCRIPTION
dbus.socket                  loaded active running   D-Bus System Message Bus Socket
dm-event.socket              loaded active listening Device-mapper event daemon FIFOs
iscsid.socket                loaded active running   Open-iSCSI iscsid Socket
iscsiuio.socket              loaded active listening Open-iSCSI iscsiuio Socket
lvm2-lvmetad.socket          loaded active listening LVM2 metadata daemon socket
lvm2-lvmpolld.socket         loaded active listening LVM2 poll daemon socket
nscd.socket                  loaded active running   Name Service Cache Daemon Socket
rpcbind.socket               loaded active running   RPCbind Server Activation Socket
systemd-initctl.socket       loaded active listening /dev/initctl Compatibility Named Pipe
systemd-journald.socket      loaded active running   Journal Socket
systemd-shutdownd.socket     loaded active listening Delayed Shutdown Socket
systemd-udevd-control.socket loaded active running   udev Control Socket
systemd-udevd-kernel.socket  loaded active running   udev Kernel Socket


#  systemctl status systemd-journald-audit.socket
Unit systemd-journald-audit.socket could not be found.

Now weird thing is that if I list netlink sockets in the system, I can see one related to audit and systemd :

#   ss -a -f netlink|grep audit
UNCONN 0      0              audit:systemd/1                        *
UNCONN 0      0              audit:sudo/3144                        *
UNCONN 0      0              audit:kernel                           *
UNCONN 0      0              audit:sudo/14889                       *

Any idea how these logs end up to syslog and what/how this audit:systemd socket is created?

Most importantly , how to stop journald gathering audit events?

giomanda
  • 1,644
  • 4
  • 20
  • 30

0 Answers0