How to disable useless "audit success" log entries in dmesg
Firstly, on fedora, both auditd and auditctl come from the same package (unconfusingly named audit). So if you don't have auditctl, something else is wrong. Try this:
rpm -ql audit |grep ctl
If that gives you nothing, then you do not have the audit package installed at all.
Secondly, the first "human" language line in the grub.cfg file you mentioned says "DO NOT EDIT" on my system. This is a clue that any manual changes to the file can be lost.
The correct place to edit the grub config on a fedora/redhat system is the one file you specifically suggested as not being necessary to change (/etc/default/grub). In reality, this is the only "safe" way to make the proposed change and survive kernel upgrades. This is because it is used as part of the source configuration during kernel upgrades, to regenerate a working grub.cfg. Look up the grub2-mkconfig command (and it's friends). Details are here: https://fedoraproject.org/wiki/GRUB_2
Your answer is not wrong, but I found it a little confusing. I hate the grub command line, and IMHO anyone who is likely to miss adding a whitespace char on a kernel command line would probably not thank any one for being lead down that road. Still, some people like to learn the hard way I know.
All commands below need to be run as root (which is in and of itself a dangerous thing to suggest).
For a running system:
auditctl -e 0
If you cannot find auditctl, check your PATH and also consider:
dnf install audit
This should at least reduce if not disable the messages until such a time as you can reboot.
To persist beyond reboots, edit /etc/default/grub and change the GRUB_CMDLINE_LINUX line to add "audit=0" to the end, then use grub2-mkconfig to regenerate the grub.cfg. This final step also puts a layer of validation between your change, and the running system.
You can quickly disable audit temporarily with
sudo auditctl -e 0
and temporarily remove all the rules with
sudo auditctl -D
For future boots you could try disabling its start with
sudo systemctl disable auditd
There is no auditd service that could be disabled while the system is running, but it turns out that adding the boot option audit=0
seems to disable all of these messages. The system is usable again, even on command line without X running.
This option can be set temporarily (the change will not survive a reboot):
- When the Grub boot menu appears (right after turning the power on), hit e to edit the boot parameters. This will show a huge text box.
- Scroll down to the line that starts with "linux". Hit the End key to move the cursor to the end of the line.
- Enter a whitespace character so that you don't break the last option, then append
audit=0
. For example... LANG=en_US.UTF-8 audit=0
(not...UTF-8audit=0
, obviously). - Be careful not to change anything else. If you've accidentally modified some other option, fix it or reboot and start over.
- Hit F10 to boot the system.
Of course, this change will only be in effect while the system is running. The audit flood will come back after a reboot. To make this change permanent, the boot configuration has to be changed permanently. On Fedora, it should be enough to simply modify /boot/grub2/grub.cfg
because when a new kernel is installed (system update), grubby should copy the options of the latest kernel to the newly installed kernel. This means, audit=0
has to be appended to the first linux
line (first menuentry
section) in this file. It shouldn't be necessary to change ./etc/default/grub
Correction: Actually, the correct and most reliable approach is to edit /etc/default/grub
and regenerate the Grub config using grub2-mkconfig -o /boot/grub2/grub.cfg
, thanks KnightLordAndMaster for pointing this out.
Additional note on audit logs in log files:
As a side note, the following line should prevent audit logs from ending up in log files, but they would still clutter dmesg and the console, so this is not a solution in itself. This line would be put as first rule in /etc/rsyslog.conf
:
...
#### RULES ####
# no audit
:programname, isequal, "audit" ~
...
This now results in the following warning:
rsyslogd[xxxx]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.35.0 try http://www.rsyslog.com/e/2307]