How to exclude crond from audit logs

Solution Verified - Updated -

Issue

  • How can we disable all the extra PAM-related crond messages from filling up /var/log/audit/audit.log?

  • Auditd logs show at least 6 events audit.log every time cron runs a job. In my case that's every 5 minutes cause that's what I have set sar to.

    type=USER_ACCT msg=audit(1336941301.016:10008): user pid=27266 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1336941301.016:10009): user pid=27266 uid=0 auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=LOGIN msg=audit(1336941301.016:10010): login pid=27266 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=1542
type=USER_START msg=audit(1336941301.046:10011): user pid=27266 uid=0 auid=0 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1336941301.076:10012): user pid=27266 uid=0 auid=0 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1336941301.076:10013): user pid=27266 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.