Remove Audit Info from Sudo?

This forum is for discussion about general software issues.

Remove Audit Info from Sudo?

Postby DaniPaterson » Mon Sep 20, 2021 1:52 am

Hi there,

I recently got Arch Linux ARM up and running on a RPi4, and sudo is working a little weird for me. When I'm logged in as my non-root user and run a sudo command, it'll ask for my root password and the command runs like it should. However, it also adds ~4 lines of text that starts with something like: 10.0.0.0.1 192.168.10.1 192.168.1.254

[ 4343.737882 ] audit: type=... audit(...): pid=... uid=... auid=... ses=... msg='op=PAM:... grantors=... acct="..." exe="/usr/bin/sudo" hostname=alarmpi addr=? terminal=/dev/tty1 res=success'

The number/timestamp at the beginning is different for each line, and the ellipses hold info that seems to change on different lines/sudo commands.


I've never seen sudo behave this way. After a quick perusal of the Arch wiki (https://wiki.archlinux.org/index.php/Sudo), I'm guessing that these extra lines are the log info the wiki refers to ("additionally, sudo logs all commands and failed access attempts for security auditing"). Is that right? Or is it something else?


Either way, is there any way of suppressing these lines so they don't distract from the command I'm actually running? Also, is this a sign of any problems that I need to do something about? Any help you can give me would be much appreciated.


Thanks!
Last edited by DaniPaterson on Mon Oct 11, 2021 1:10 am, edited 1 time in total.
DaniPaterson
 
Posts: 1
Joined: Mon Sep 20, 2021 1:49 am

Re: Remove Audit Info from Sudo?

Postby graysky » Mon Sep 20, 2021 7:47 am

Yeah, audit sucks.
$this->bbcode_second_pass_code('', '# systemctl mask systemd-journald-audit.socket')

https://wiki.archlinux.org/title/Audit_ ... stallation
graysky
Developer
 
Posts: 1727
Joined: Sun Jun 26, 2011 6:56 am
Location: /run/user/1000

Re: Remove Audit Info from Sudo?

Postby unformatted » Mon Sep 20, 2021 3:35 pm

Is there a downside in adding audit=0 as a kernel parameter in order to completely disable audit?
unformatted
 
Posts: 119
Joined: Tue Mar 09, 2021 5:23 pm

Re: Remove Audit Info from Sudo?

Postby graysky » Mon Sep 20, 2021 4:39 pm

I don't think there is so long as you pay attention to pacman's ouput if /boot/cmdline.txt ever gets updated one day.
graysky
Developer
 
Posts: 1727
Joined: Sun Jun 26, 2011 6:56 am
Location: /run/user/1000

Re: Remove Audit Info from Sudo?

Postby unformatted » Mon Sep 20, 2021 4:56 pm

I've been using audit=0 ever since this audit 'feature' was introduced and always after upgrade compare any pacnew file with pacdiff but I still prefer disabling over masking, especially on pi zero were every cpu cycle counts.

Still looks funny to me that if you install arch arm on any Pi for the first time, you are welcomed with a flooded terminal making it very hard to see what you are doing.
unformatted
 
Posts: 119
Joined: Tue Mar 09, 2021 5:23 pm

Re: Remove Audit Info from Sudo?

Postby graysky » Tue Sep 21, 2021 7:13 am

It's an upstream setting enabled by default. To quote Kevin, "I generally prefer to leave configuration to the users, which is the Arch way..."

https://wiki.archlinux.org/title/Arch_Linux#Principles
graysky
Developer
 
Posts: 1727
Joined: Sun Jun 26, 2011 6:56 am
Location: /run/user/1000


Return to General

Who is online

Users browsing this forum: No registered users and 8 guests