The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Many audit logs in messages

Discussion in 'General Discussion' started by Rodrigo Gomes, Jul 12, 2016.

  1. Rodrigo Gomes

    Rodrigo Gomes Active Member

    Joined:
    Apr 6, 2016
    Messages:
    25
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello everybody,

    My server is receiving many of these logs below in /var/log/messages:

    Code:
    Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322612): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322613): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322614): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322615): pid=26973 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39139 res=1
    Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322616): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322617): pid=26979 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39140 res=1
    Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322618): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322619): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322620): pid=26968 uid=0 old-auid=4294967295 auid=977 old-ses=4294967295 ses=39141 res=1
    Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.659:322621): pid=26978 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:12 example-server kernel: audit_printk_skb: 363 callbacks suppressed
    Jul 12 18:00:12 example-server kernel: type=1104 audit(1468357212.127:322743): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:00:12 example-server kernel: type=1106 audit(1468357212.128:322744): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322746): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:01:01 example-server kernel: audit: audit_lost=102646 audit_rate_limit=0 audit_backlog_limit=320
    Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322747): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:01:01 example-server kernel: audit: printk limit exceeded
    Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322748): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322749): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322750): pid=27831 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322751): pid=27832 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39158 res=1
    Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322752): pid=27830 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39159 res=1
    Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322753): pid=27831 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39160 res=1
    Jul 12 18:02:01 example-server kernel: audit_printk_skb: 51 callbacks suppressed
    Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322771): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322772): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322773): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322774): pid=27922 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=39162 res=1
    Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322775): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322776): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322777): pid=27925 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39163 res=1
    Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.490:322778): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.490:322779): pid=27924 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39164 res=1
    Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.492:322780): pid=27923 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:03:01 example-server kernel: audit_printk_skb: 60 callbacks suppressed
    Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322801): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322802): pid=28015 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322803): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322804): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322805): pid=28016 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39166 res=1
    Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322806): pid=28015 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39167 res=1
    Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322807): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322808): pid=28017 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39168 res=1
    Jul 12 18:03:01 example-server kernel: type=1105 audit(1468357381.228:322809): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    Jul 12 18:03:01 example-server kernel: type=1110 audit(1468357381.229:322810): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    
    This is new,
    It did not happen before.

    SElinux is disabled.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Please ensure you review Guide To Opening An Effective Forums Thread and let us know the requested information about your system.

    Also, please let us know the contents of the " /etc/audit/rules.d/audit.rules" file on this system.

    Thank you.
     
  3. Rodrigo Gomes

    Rodrigo Gomes Active Member

    Joined:
    Apr 6, 2016
    Messages:
    25
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Acess level: root

    Cpanel plugins:
    clamavconnector 0.99-4.cp1156
    munin Version: obsolete
    csf v9.10

    Code:
    /etc/redhat-release:CentOS Linux release 7.2.1511 (Core)
    /usr/local/cpanel/version:11.56.0.25
    /var/cpanel/envtype:kvm
    CPANEL=release
    Server version: Apache/2.4.18 (Unix)
    Server built:   Jul  7 2016 03:17:41
    Cpanel::Easy::Apache v3.34.1 rev9999
    PHP 5.6.23 (cli) (built: Jul  7 2016 03:21:29)
    Copyright (c) 1997-2016 The PHP Group
    Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
        with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
        with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
        with Suhosin v0.9.38, Copyright (c) 2007-2015, by SektionEins GmbH
    mysql  Ver 14.14 Distrib 5.6.30, for Linux (x86_64) using  EditLine wrapper
    /etc/audit/rules.d/audit.rules:
    Code:
    # This file contains the auditctl rules that are loaded
    # whenever the audit daemon is started via the initscripts.
    # The rules are simply the parameters that would be passed
    # to auditctl.
    
    # First rule - delete all
    -D
    
    # Increase the buffers to survive stress events.
    # Make this bigger for busy systems
    -b 320
    
    # Feel free to add below this line. See auditctl man page
    
    /etc/audit/auditd.conf:
    Code:
    #
    # This file controls the configuration of the audit daemon
    #
    
    log_file = /var/log/audit/audit.log
    log_format = RAW
    log_group = root
    priority_boost = 4
    flush = INCREMENTAL
    freq = 20
    num_logs = 5
    disp_qos = lossy
    dispatcher = /sbin/audispd
    name_format = NONE
    ##name = mydomain
    max_log_file = 6 
    max_log_file_action = ROTATE
    space_left = 75
    space_left_action = SYSLOG
    action_mail_acct = root
    admin_space_left = 50
    admin_space_left_action = SUSPEND
    disk_full_action = SUSPEND
    disk_error_action = SUSPEND
    ##tcp_listen_port = 
    tcp_listen_queue = 5
    tcp_max_per_addr = 1
    ##tcp_client_ports = 1024-65535
    tcp_client_max_idle = 0
    enable_krb5 = no
    krb5_principal = auditd
    ##krb5_key_file = /etc/audit/audit.key
    
    I'm sorry by the lack of information in my thread.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Your auditd configuration matches up with the default correction. You mentioned that SELinux is disabled. Could you confirm the output from the "getenforce" command?

    Thank you.
     
  5. Rodrigo Gomes

    Rodrigo Gomes Active Member

    Joined:
    Apr 6, 2016
    Messages:
    25
    Likes Received:
    4
    Trophy Points:
    3
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Code:
    # getenforce
    Disabled
    
    After restart these logs stopped happening.

    I can't say what happened. But it may have been an update that needed restart.

    Thanks!
     
    #5 Rodrigo Gomes, Jul 17, 2016
    Last edited: Jul 17, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page