Disabling Audit Messages

This forum is for topics specific to the Raspberry Pi and Arch Linux ARM

Disabling Audit Messages

Postby TrojanPinata » Wed Jul 08, 2020 11:48 pm

Hello,
I have a original Pi model B with a standard sd card booting arch. As per my title, I cannot stop audit messages for the life of me. I have scoured the internet and come up with possible solutions that in the end all failed because of one reason or another.

The post that best sums up what I am seeing is https://bbs.archlinux.org/viewtopic.php?id=247791

Except that it's solution doesn't work. Because of the endless wave of audit messages, it is bassically impossible to type anything remotely useful in terminal, thus no internet or long commands because they end up with some typo that is unintellegable due to it being in chunks.

Here's a list of commands and general things I've tried to get this to stop:

This one seemed the most promising until rw, which isn't a command to my system it appears. I don't currently know how to fix this without internet. It's possible that it's a bad image. This specific card had PINN on it which is where Arch was installed from.
$this->bbcode_second_pass_code('', 'root=/dev/mmcblk0p2 rw rootwait console=ttyAMA0,115200 console=tty1 selinux=0 plymouth.enable=0 smsc95xx.turbo_mode=N dwc_otg.lpm_enable=0 kgdboc=ttyAMA0,115200 elevator=noop audit=0')

Sudo was also a good bet until I realized I need internet to install it (big rip for the easiest command)
$this->bbcode_second_pass_code('', 'sudo systemctl mask systemd-journald-audit.socket')
Of course, these two are from a thread where the pi was a model 2 or 3 which may have a darastic effect on why these two didn't work. (https://archlinuxarm.org/forum/viewtopic.php?f=60&t=13175)

Now back to that original link, which provoided the most information on what was actually happening. I'm using a standard kernel as far as I know, and thus, it seems to be very common to cite the wiki. The wiki with its $this->bbcode_second_pass_code('', 'auditctl -e 0') bs is pretty frustrating. When ran, I get a $this->bbcode_second_pass_code('', 'enable=0
failure=1
...
...
or something like that im going off of memory')(sorry in advance for not providing pictures I turned it off and am running a different sd at the moment)

So with the information so far, auditctl is installed, rw is not, and nor is sudo. auditctl, however, doesn't work. (Side note: auditctl has no rules from what I can tell, and -D does nothing)

The final command I tried is:
$this->bbcode_second_pass_code('', 'systemctl mask systemd-journald-audit.socket')
sourced from here https://archlinuxarm.org/forum/viewtopic.php?f=9&t=14182
which weirdly stopped all messages for three-ish seconds but it was shortlived.
Other things involved modifying the cmdline.txt file directly with a text editor, in my case nano being that this is a fresh install. This is my first sign I guess that it may be a bad image PINN was installing, due to the fact that it was not there in its entirety. I haven't been baptized enough in Arch to know if thats normal but w/e. That as well as modifying the config.gz file in nano, but that was a mess due to its attempted conversion from mac format to whatever it uses. That would have made it really easy, being that all I would theoretically have to do is change audit=1 to audit=0 and bam.

Clearly, as I am posting this here, it should be obvious that I'm pretty stuck. This all stems from the fact that my Ubuntu pc is too terrible to partrition and image a sd card correctly (lets go single core and garbage pc gang). My first few attempts wouldn't boot so I took the L and just used PINN, which clearly lead to a whole slew of bigger and more frustrating L's.

If anyone knows what I'm doing wrong here please let me know. I'm pretty new to arch as a whole, and it's pretty hard to learn when the audit messages cover up even the most basic of commands. As you can tell, I'm also really new to this forum, if anything's wrong formatting wise please let me know.

Thanks my dudes,
B
TrojanPinata
 
Posts: 1
Joined: Wed Jul 08, 2020 10:57 pm

Re: Disabling Audit Messages

Postby deeprkyo » Thu Jul 23, 2020 7:55 am

Hi Trojan,
I am having the same trouble. I discovered that you need to be in root mode to disable audits temporarily. At the moment I got this far :
type "su" for superuser mode then type "root" (the default root password)
then "auditctl -e 0" works.

this at least makes the terminal partly usable, i can see ls lists and man pages long enough to read. But im still having the odd audit message (though much reduced). which overwrite every terminal instance and the nano editor.

I will post something on disabling audit all-together - if i find a way :P

please post on this thread if you find a permanent solution to this annoying tool. :P

Kyo
deeprkyo
 
Posts: 1
Joined: Thu Jul 23, 2020 7:48 am


Return to Raspberry Pi

Who is online

Users browsing this forum: No registered users and 13 guests