1. 에러 메시지:
kernel: type=1101 audit(1412069761.325:844941): user pid=23092 uid=0 auid=4294967295 msg='PAM: accounting acct="sysadm" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
kernel: type=1103 audit(1412069761.325:844942): user pid=23092 uid=0 auid=4294967295 msg='PAM: setcred acct="sysadm" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
2. 현상:
- Linux auditd 데몬을 disable 시켰음에도 불구하고 해당 데몬과 관련한 로그가 /var/log/messages 파일에 지속적으로 로깅됨
3. 조치 방안:
- /etc/audit/audit.rules 파일의 '-D' 옵션을 '-e 0' 으로 변경
[root@ktdsoss01 ~]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-e 0
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
4. 참조 URL:
http://www.vickysguide.com/audit-still-logging-even-when-stoped/