Bug 1704500

Summary: auditd logs full of sudo events from vdsm
Product: Red Hat Enterprise Virtualization Manager Reporter: Marcus West <mwest>
Component: ovirt-hosted-engine-haAssignee: Simone Tiraboschi <stirabos>
Status: CLOSED ERRATA QA Contact: Wei Wang <weiwang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2.8-4CC: cshao, dholler, huzhao, lsurette, lsvaty, mavital, mperina, msobczyk, mtessun, nlevy, qiyuan, sbonazzo, srevivo, stirabos, weiwang, yaniwang, ycui, yturgema
Target Milestone: ovirt-4.3.6Keywords: ZStream
Target Release: 4.3.6Flags: weiwang: testing_plan_complete+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-hosted-engine-ha-2.3.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-10 15:38:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1734476    

Description Marcus West 2019-04-30 00:29:20 UTC 
## Description of problem:

On RHVH (HE configured), sudo calls are made very 10 seconds, which spam the auditd logs - this causes them to rotate out in around 24hrs.  This may not be acceptable for security conscious customers, or others that would wish to use these logs for debug, audit, or RCA purpose

## Version-Release number of selected component (if applicable):

rhvh--4.2.8.5--0.20190416 (not sure when this started)

## How reproducible:

Always, on HE hosts.

## Steps to Reproduce:
1. Install RHVH and configure for HostedEngine
2. Wait over 24hrs
3. check auditd logs (ausearch -ua vdsm)

## Actual results:

We can generally only see about 24hrs worth of entries (on an idle system)

## Expected results:

A non-RHV KVM host can have up to 4 months of auditd logs available.  I do not think we we should be logging known (expected) sudo requests initiated by vdsm.

## Additional info:

Non-HE hosts are not great either - my one has about 1 week worth of logs.  The checks here seem to be about every 5 minutes.
Comment 5 Dominik Holler 2019-05-10 08:04:11 UTC 
Simone, might ovirt-hosted-engine-ha trigger getCapabilities frequently?
Comment 6 Simone Tiraboschi 2019-05-10 08:16:22 UTC 
Yes,
it's used in mem_load and mgmt_bridge submonitors:
https://github.com/oVirt/ovirt-hosted-engine-ha/blob/master/ovirt_hosted_engine_ha/broker/submonitors/mem_load.py#L44
https://github.com/oVirt/ovirt-hosted-engine-ha/blob/master/ovirt_hosted_engine_ha/broker/submonitors/mgmt_bridge.py#L47

so 2 or 3 calls every minute sounds plausible.
Comment 8 Wei Wang 2019-07-31 09:43:57 UTC 
Test Version
rhvh-4.2.11.1-0.20190618.0
ovirt-hosted-engine-setup-2.2.34-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.19-1.el7ev.noarch
vdsm-4.20.49-3.el7ev.x86_64

Test Steps:
1. Install RHVH and configure for HostedEngine
2. Wait over 24hrs
3. check auditd logs (ausearch -ua vdsm)

Result:
Generating only about 24hrs worth of entries

QE can reproduce this bug, ack+
Comment 10 Wei Wang 2019-08-23 07:48:43 UTC 
Test Version:
RHVH-4.3-20190822.2-RHVH-x86_64-dvd1.iso
cockpit-195-1.el7.x86_64
cockpit-bridge-195-1.el7.x86_64
cockpit-storaged-195-1.el7.noarch
cockpit-dashboard-195-1.el7.x86_64
cockpit-system-195-1.el7.noarch
cockpit-ws-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-ovirt-dashboard-0.13.6-1.el7ev.noarch
ovirt-hosted-engine-ha-2.3.5-1.el7ev.noarch
ovirt-hosted-engine-setup-2.3.12-1.el7ev.noarch
vdsm-4.30.29-2.el7ev.x86_64

Test Steps:
According to comment 8

Result:
No logging known (expected) sudo requests initiated by vdsm.


bug is fixed, move status to "VERIFIED"
Comment 11 Daniel Gur 2019-08-28 13:15:29 UTC 
sync2jira
Comment 12 Daniel Gur 2019-08-28 13:21:17 UTC 
sync2jira
Comment 14 errata-xmlrpc 2019-10-10 15:38:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3017