Linux Auditd Service and SSH Login

Posted by: scoopseven 12 years, 6 months ago

We have a CentOS 5.x box that strangely stopped allowing us to ssh in.  It would allow you to enter a username, prompt you for a password, and then just hang there, eventually timing out.  We tracked the problem down to a service, auditd, that acts as a central system logger, rather than /var/log/messages.  We found errors stating "kernel: audit: backlog limit exceeded" in our messages log.

The auditd service allows you to run some interesting little summary reports on access/processing that occurred on your machine within a given timeframe. Some examples:

aureport --start today

aureport --start today --event --summary -i

I'm sure it has a thousand other cool uses, too.  The problem we ran into though, was that once this audit backlog became full, our ssh server wouldn't respond because it was suspended, per the auditd config file at /etc/audit/auditd.conf. To stop ssh logins from being suspended (hanging) we have increased the allocation of buffers available to auditd per this thread in /etc/audit/audit.rules. 

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# changed above line to
-b 8192

Can't wait to make this an Arch box.

• ← Apache setup on Mac OS X Lion
• Coldfusion - java.io.IOException: No space left on device →