Dealing with Audit Messages and Other Kernel Messages

Guides written by the community, for the community, and only guides!

Dealing with Audit Messages and Other Kernel Messages

Postby paradoxical » Sat Apr 04, 2020 10:56 pm

Hey there! I noticed that audit messages kept being logged to tty1 and were very annoying. However, I would still like to use auditd in my system for extra security. In that case, this is how.

It took a lot of tracking to find out why this happened, and it turned out it was due to the kernel's log level. This will also deal with those pesky internet adapter messages. By default, (at least on my system) the log level was something like "7 4 1 7".

Here's an explanation of log levels from a SuperUser question (https://superuser.com/questions/351387/how-to-stop-kernel-messages-from-flooding-my-console/793692#793692):
Reminder of the severity levels and the four values of kernel.printk given by Brian above:

CUR = current severity level; only messages more important than this level are printed
DEF = default severity level assigned to messages with no level
MIN = minimum allowable CUR
BTDEF = boot-time default CUR

On my CentOS: 7 4 1 7
Code: Select all
                     CUR  DEF  MIN  BTDEF
0 - emergency        x              x                       
1 - alert            x         x    x
2 - critical         x              x
3 - error            x              x
4 - warning          x    x         x
5 - notice           x              x
6 - informational    V              V
7 - debug           

This is too noisy, I just want critical and up (no errors). Unlabeled messages should be regarded as warning, so DEF is good:
Code: Select all
                     CUR  DEF  MIN  BTDEF
0 - emergency        x              x                       
1 - alert            x         x    x
2 - critical         x              x
3 - error            V              V
4 - warning               x         
5 - notice                           
6 - informational                   
7 - debug           

Set to: 3 4 1 3


So to fix this, I created "/etc/sysctl.d/00-printk.conf", and inside is:
Code: Select all
kernel.printk=3 4 1 3

This will make the kernel log level "3 4 1 3" persistantly. To load it right now (without rebooting), run:
Code: Select all
sudo sysctl -p /etc/sysctl.d/00-printk.conf

Now, you shouldn't see any audit or driver messages in your tty1! :D
paradoxical
 
Posts: 2
Joined: Thu Nov 07, 2019 2:12 am

Re: Dealing with Audit Messages and Other Kernel Messages

Postby graysky » Sun Apr 05, 2020 7:23 am

Mask systemd-journald-audit.socket or add kernel parameter audit=0 to bootload.cfg.
graysky
 
Posts: 597
Joined: Sun Jun 26, 2011 6:56 am
Location: /run/user/1000


Return to Community Guides

Who is online

Users browsing this forum: No registered users and 1 guest