2

I have a system that is getting a ton of audit traffic for a particular account we will call 'redacted'. The logs are showing this account executing the su command. My first instinct was to check the rules in etc/audit/rules.d and disable any rules having to do with su and to add a rule suppressing logging for that account. I was still getting these logs so I wiped out the audit rules to have a blank slate. (auditctl -l No Rules)

I was still seeing these logs so my question is are these coming from the PAM modules and is there a way to suppress them?

type=CRED_DISP msg=audit(1652729209.332:1763023): pid=375379 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_AUTH msg=audit(1652729210.442:1763024): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:authentication grantors=pam_rootok acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1652729210.443:1763025): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_succeed_if acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=CRED_ACQ msg=audit(1652729210.446:1763026): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_START msg=audit(1652729210.462:1763027): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_umask,pam_xauth acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
dennis123
  • 45
  • Try running auditctl -D followed by service auditd restart, and make sure /etc/audit/audit.rules is empty as well if you truly want no audit rules. – cutrightjm May 16 '22 at 23:02
  • I did run auditctl -D before restarting the service but I did not check /etc/audit/audit.rules. I can check next time. I figured if auditctl -l is showing no output it was cleared successfully. – dennis123 May 16 '22 at 23:12
  • Can you fix the underlying issue, stopping whatever it is from calling su so often? I would suggest that this is a bad architectural design and if the process needs to call su this often it's probably running as the wrong account – Chris Davies May 16 '22 at 23:45
  • 1
    Relating https://unix.stackexchange.com/q/224370/117549 and https://unix.stackexchange.com/q/637227/117549 as potentially helpful. – Jeff Schaller May 17 '22 at 11:33

1 Answers1

1

I was able to suppress these outputs by adding rules to supress the message by type. For example -a never,exclude -F msgtype=USER_AUTH

dennis123
  • 45