Dealing with Audit Messages and Other Kernel Messages

Guides written by the community, for the community, and only guides!

Dealing with Audit Messages and Other Kernel Messages

Postby paradoxical » Sat Apr 04, 2020 10:56 pm

Hey there! I noticed that audit messages kept being logged to tty1 and were very annoying. However, I would still like to use auditd in my system for extra security. In that case, this is how.

It took a lot of tracking to find out why this happened, and it turned out it was due to the kernel's log level. This will also deal with those pesky internet adapter messages. By default, (at least on my system) the log level was something like "7 4 1 7".

Here's an explanation of log levels from a SuperUser question (https://superuser.com/questions/351387/how-to-stop-kernel-messages-from-flooding-my-console/793692#793692):
$this->bbcode_second_pass_quote('', '
')Reminder of the severity levels and the four values of kernel.printk given by Brian above:

CUR = current severity level; only messages more important than this level are printed
DEF = default severity level assigned to messages with no level
MIN = minimum allowable CUR
BTDEF = boot-time default CUR

On my CentOS: 7 4 1 7
$this->bbcode_second_pass_code('', '
CUR DEF MIN BTDEF
0 - emergency x x
1 - alert x x x
2 - critical x x
3 - error x x
4 - warning x x x
5 - notice x x
6 - informational V V
7 - debug
')
This is too noisy, I just want critical and up (no errors). Unlabeled messages should be regarded as warning, so DEF is good:
$this->bbcode_second_pass_code('', '
CUR DEF MIN BTDEF
0 - emergency x x
1 - alert x x x
2 - critical x x
3 - error V V
4 - warning x
5 - notice
6 - informational
7 - debug
')
Set to: 3 4 1 3


So to fix this, I created "/etc/sysctl.d/00-printk.conf", and inside is:
$this->bbcode_second_pass_code('', '
kernel.printk=3 4 1 3
')
This will make the kernel log level "3 4 1 3" persistantly. To load it right now (without rebooting), run:
$this->bbcode_second_pass_code('', 'sudo sysctl -p /etc/sysctl.d/00-printk.conf')
Now, you shouldn't see any audit or driver messages in your tty1! :D
paradoxical
 
Posts: 2
Joined: Thu Nov 07, 2019 2:12 am

Re: Dealing with Audit Messages and Other Kernel Messages

Postby graysky » Sun Apr 05, 2020 7:23 am

Mask systemd-journald-audit.socket or add kernel parameter audit=0 to bootload.cfg.
graysky
Developer
 
Posts: 1728
Joined: Sun Jun 26, 2011 6:56 am
Location: /run/user/1000


Return to Community Guides

Who is online

Users browsing this forum: No registered users and 5 guests