The recently-left programmer did *something*, and he didn't know what, and the guy who picked it up is working with me to find out why /var/log/messages is getting flooded with Oct 26 11:01:06 <servername> kernel: type=1105 audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1106 audit(1477494066.620:642431): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1104 audit(1477494066.620:642432): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> systemd: Started Session c21839 of user <user>.
Other folks can submit jobs to slurm, and we don't get anything like this.
Feel free to contact me offlist....
mark Oct 26 11:01:11 <servername> systemd: Starting Session c21839 of user <user>.
looks like auditd logging is a bit tweaked.
eero
26.10.2016 6.11 ip. m.roth@5-cent.us kirjoitti:
The recently-left programmer did *something*, and he didn't know what, and the guy who picked it up is working with me to find out why /var/log/messages is getting flooded with Oct 26 11:01:06 <servername> kernel: type=1105 audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1106 audit(1477494066.620:642431): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1104 audit(1477494066.620:642432): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> systemd: Started Session c21839 of user <user>.
Other folks can submit jobs to slurm, and we don't get anything like this.
Feel free to contact me offlist....
markOct 26 11:01:11 <servername> systemd: Starting Session c21839 of user <user>.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Eero Volotinen wrote:
looks like auditd logging is a bit tweaked.
As far as I know, it's selinux-policy-targeted out of the box. (And yes, we do have it in permissive mode.)
Any thoughts on how to tweak that?
mark
26.10.2016 6.11 ip. m.roth@5-cent.us kirjoitti:
The recently-left programmer did *something*, and he didn't know what, and the guy who picked it up is working with me to find out why /var/log/messages is getting flooded with Oct 26 11:01:06 <servername> kernel: type=1105 audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1106 audit(1477494066.620:642431): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1104 audit(1477494066.620:642432): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> systemd: Started Session c21839 of user <user>.
Other folks can submit jobs to slurm, and we don't get anything like this.
Feel free to contact me offlist....
markOct 26 11:01:11 <servername> systemd: Starting Session c21839 of user <user>.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
You might have some luck on the beowulf mailing list - http://beowulf.org/ There are quite a few slurmy types kicking around there.
On 26 October 2016 at 22:09, Eero Volotinen eero.volotinen@iki.fi wrote:
looks like auditd logging is a bit tweaked.
eero
26.10.2016 6.11 ip. m.roth@5-cent.us kirjoitti:
The recently-left programmer did *something*, and he didn't know what,
and
the guy who picked it up is working with me to find out why /var/log/messages is getting flooded with Oct 26 11:01:06 <servername> kernel: type=1105 audit(1477494066.569:642430): pid=108551 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1106 audit(1477494066.620:642431): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_keyinit,pam_limits,pam_ systemd,pam_unix,pam_krb5,pam_xauth acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success' Oct 26 11:01:06 <servername> kernel: type=1104 audit(1477494066.620:642432): pid=108548 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="<user>" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> su: (to <user>) root on none Oct 26 11:01:11 <servername> systemd: Started Session c21839 of user <user>.
Other folks can submit jobs to slurm, and we don't get anything like
this.
Feel free to contact me offlist....
markOct 26 11:01:11 <servername> systemd: Starting Session c21839 of user <user>.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
m.roth-x6lchVBUigD1P9xLtpHBDw wrote:
why /var/log/messages is getting flooded with Oct 26 11:01:06 <servername> kernel: type=1105 audit (1477494066.569:642430): pid=108551 uid=0
[...]
Is your auditd service running? I believe I've seen cases where auditd was not running, leading to audit-stuff showing up in /var/log/messages
-
Andrew Holway -
Eero Volotinen -
m.roth@5-cent.us -
Troels Arvin