●対策
参考URL:/var/log/messagesがauditログで埋まる
参考URL:auditのログを止めてみた
参考URL:Linuxセキュリティ監査ツール Lynis
いつの間にか/var/log/messagesがauditの大量なログで埋まるようになってしまいました。気がついたのはlogwatchを動作させており、毎日送信されてくるメールのサイズが非常に大きくなっていることからでした。
################### Logwatch 7.4.3 (04/27/16) ####################
Processing Initiated: Sun Jan 1 03:10:20 2017
Date Range Processed: yesterday
( 2016-Dec-31 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: www.bigbang.mydns.jp
##################################################################
--------------------- Kernel Audit Begin ------------------------
**Unmatched Entries** (Only first 100 out of 60631 are printed)
audit: USER_ACCT pid=30059 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_ACQ pid=30059 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_ACCT pid=30068 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30068 uid=0 auid=986 ses=4204 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_REFR pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_DISP pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_END pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30219 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.12 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30226 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30445 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: USER_ACCT pid=30496 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_ACQ pid=30496 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_ACCT pid=30515 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30515 uid=0 auid=986 ses=4206 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_REFR pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRED_DISP pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_END pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30666 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30670 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.12 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30796 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: USER_ACCT pid=30846 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_ACQ pid=30846 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_ACCT pid=30851 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30851 uid=0 auid=986 ses=4208 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_REFR pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_DISP pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_END pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=31002 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=31001 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=31001 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=31001 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
---------------------- Kernel Audit End -------------------------
この余計なログを出力しないよう設定変更します。
参考URL:/var/log/messagesがauditログで埋まる
参考URL:auditのログを止めてみた
参考URL:Linuxセキュリティ監査ツール Lynis
いつの間にか/var/log/messagesがauditの大量なログで埋まるようになってしまいました。気がついたのはlogwatchを動作させており、毎日送信されてくるメールのサイズが非常に大きくなっていることからでした。
################### Logwatch 7.4.3 (04/27/16) ####################
Processing Initiated: Sun Jan 1 03:10:20 2017
Date Range Processed: yesterday
( 2016-Dec-31 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: www.bigbang.mydns.jp
##################################################################
--------------------- Kernel Audit Begin ------------------------
**Unmatched Entries** (Only first 100 out of 60631 are printed)
audit: USER_ACCT pid=30059 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_ACQ pid=30059 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_ACCT pid=30068 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30068 uid=0 auid=986 ses=4204 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_REFR pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_DISP pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_END pid=30059 uid=0 auid=986 ses=4203 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30219 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30219 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30219 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30218 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30218 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.12 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30226 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30226 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30226 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30225 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30225 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30445 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30445 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30445 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30441 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30441 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: USER_ACCT pid=30496 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_ACQ pid=30496 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_ACCT pid=30515 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30515 uid=0 auid=986 ses=4206 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_REFR pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRED_DISP pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_END pid=30496 uid=0 auid=986 ses=4205 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30666 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30666 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30666 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30662 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30662 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30670 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30670 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30670 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30668 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30668 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.12 terminal=ssh res=failed'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30796 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30796 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30796 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=30792 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: USER_LOGIN pid=30792 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="(unknown)" exe="/usr/sbin/sshd" hostname=? addr=1.0.0.4 terminal=ssh res=failed'
audit: USER_ACCT pid=30846 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_ACQ pid=30846 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_ACCT pid=30851 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30851 uid=0 auid=986 ses=4208 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="cacti" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: USER_START pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_REFR pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: CRED_DISP pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:setcred grantors=pam_env,pam_localuser,pam_unix acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: USER_END pid=30846 uid=0 auid=986 ses=4207 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="cacti" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
audit: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@986 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31002 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=31002 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:98:dd:71:28:91:73:36:ab:58:af:26:90:e6:01:6e:57:0b:cf:12:15:76:b6:f8:90:99:a5:81:d3:8b:cb:19:5b direction=? spid=31002 suid=74 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:99:dd:a2:10:e0:14:50:5e:61:db:cb:60:b4:c9:d3:ae:84:47:3b:62:33:55:e0:ae:20:0f:a2:2c:84:40:69:f8 direction=? spid=31001 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:49:af:5f:93:bf:57:a5:7c:9e:1a:af:10:49:77:56:5e:1b:e3:50:96:ab:a0:18:87:b3:4f:1c:ad:44:a7:57:01 direction=? spid=31001 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
audit: CRYPTO_KEY_USER pid=31001 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:5b:fc:52:e0:28:3e:09:93:a2:b6:bd:68:65:2b:26:c1:23:92:ea:51:06:08:7f:5a:47:e6:e6:9c:30:de:13:10 direction=? spid=31001 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
---------------------- Kernel Audit End -------------------------
この余計なログを出力しないよう設定変更します。
# vi /etc/audit/rules.d/audit.rules # First rule - delete all #-D ← コメントアウト -e 0 ← 追記 # vi /etc/audit/audit.rules ## This file is automatically generated from /etc/audit/rules.d #-D ← コメントアウト -e 0 ← 追記 # systemctl stop auditd Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only. See system logs and 'systemctl status auditd.service' for details. # service auditd stop Stopping logging: [ OK ] # service auditd start Redirecting to /bin/systemctl start auditd.service以上で設定変更は完了です。