Bug 193643
Summary: | Audit system blocks, preventing associated services to work | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Frode Nordahl <frode> |
Component: | laus | Assignee: | Jason Vas Dias <jvdias> |
Status: | CLOSED NOTABUG | QA Contact: | Jay Turner <jturner> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.0 | CC: | srevivo |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-31 15:23:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Frode Nordahl
2006-05-31 11:13:36 UTC
The problem could be occurring because auditd is finding that the amount of free space on the filesystem containing /var/log/audit.d/ is falling below the threshold specified in /etc/audit/audit.conf: notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%"; and it is hence unable to rotate the /var/log/audit.d/bin* audit log files. When audit finds that free space falls below the -T threshold, it put the system into 'suspend mode' until the free space is equal to or greater than the threshold. Entering suspend mode is the default action to take when there is insufficient free disk space, as configured by the -T threshold, as configured in /etc/audit.conf: error { action { type = suspend; }; See the man-pages for auditd(8), audbin(1), and audit.conf(5). Do you see messages in /var/log/messages saying audit is entering suspend mode?: # egrep 'audbin|suspend' /var/log/messages If so, then the /var/log/audit.d/ disk space threshold being exceeded is the problem. Unless you require auditing, then turn it off - # chkconfig --level=123456 audit off ; reboot nothing else depends on audit being enabled, and this is the default for a clean RHEL-3 install post-U5. If you want to retain auditing, then you need to set up a mechanism to purge old rotated log files - see the '-T' and '-N' options in man audbin(1) - eg. to remove the oldest log files, set this in /etc/audit.conf: notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% -N 'rm -f %f'"; or to move them to a different partition: notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% -N 'mv -f %f /another_partition/'"; or to process them with a script that then removes them: notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% -N '/bin/my_audit_log_rotation_script %f'"; If you do not see any 'audbin|suspend' messages in /var/log/messages, and the machine is still suspending, or if putting a log rotation mechanism in place does not fix the problem, then please re-open this bug and I'll investigate further - thanks. Thank you for your thorough response! I am a bit surprised though that the default configuration of RedHat Linux is to make sure the Operator cannot operate the system as soon as it needs Operator attention. |