1

I recently tried to use auditd to find what's creating tmp files on a CentOS 5 x64 OS. I removed the rules:

# auditctl -l
No rules

but there is a lot of writing into auditd logs. If I check the logs using ssh:

# watch ls -la /var/log/audit/

auditd writes 2kb/s. If I check it with samba - it rotates 5MB log file every second. If I check it via ssh and use samba to open a directory - it writes 1 MB each time I open a directory. I'm comparing that to my CentOS 6 server which doesn't write to logs while I'm checking them via ssh. It only writes when I login/logout via ssh.

I haven't changed configuration.

Update: after server restart the auditd is no longer writing that much data. It still writes something, but it doesn't flood. Here is what it's writing now:

type=CRED_DISP msg=audit(1448603110.552:21): user pid=2708 uid=0 auid=0 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1448603110.552:22): user pid=2708 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

And there are no rules - auditctl -l shows nothing. Is there anything else than rules that might cause auditd to write in logs?

NickSoft
  • 278
  • 6
  • 23

1 Answers1

0

Did you restart the auditd service? /etc/init.d/auditd restart or service auditd restart

What events are being created in the /var/log/audit/audit.log files?

BurnA
  • 421
  • 3
  • 6
  • The log entries were about samba and ssh. I had auditd stopped for a while because it was writing too much data. Now I started it to copy/paste exact data and it's not writing too much anymore. Before it was writing every time I listed the /var/log/auditd directory or "tail"d the log. I'll write if I notice it writing a lot again. Btw, the stop of the huge writing could be because of server restart. It's still writing something, but not too much – NickSoft Nov 27 '15 at 05:44
  • Nick, if you have the problem again see if you can post some of the events. This 'smells' like a restart was needed to effect the rule changes – BurnA Nov 27 '15 at 09:40
  • I'm not sure about that. Restarting the daemon cleared the rules - removed all rules. After restarting the PC I no longer have floods in logs. The restart itself might or might not be the cause of stop of flood. Since I no longer have flood I can't give you more information on it – NickSoft Nov 28 '15 at 15:18