Bug 727310

Summary: default audit log rotation seems dangerously small
Product: [Fedora] Fedora Reporter: Robin Powell <rlpowell>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 15CC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.1.3-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-31 01:29:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin Powell 2011-08-01 19:24:15 UTC 
The default audit log rotation, as it shows up on my brand-fresh F15 system, is:

num_logs = 4
max_log_file = 5
max_log_file_action = ROTATE

That means that at most ~20MiB of logs will be kept.

If something interesting (i.e. an active attack) is happening on a system, I'd expect that to result in losing the beginnings of the problem very quickly.

Just seems an unfortunate choice, although I'm sure there could be reasons I'm not aware of.

-Robin
Comment 1 Steve Grubb 2011-08-01 20:59:22 UTC 
I am well aware of that. Just as you want more than 20Mb by default, there are people that don't want to waste 5 Mb on the audit logs. So, what do I do? I might bump it up to 30Mb and see if I get complaints to make it smaller, but everyone has different needs.
Comment 2 Robin Powell 2011-08-02 00:20:58 UTC 
0.o  Seems to me that if you can't spare 5 MiB, you are on a system so small that managing the config is *required*.

Anyways, thanks for listening; I'm not going to throw a fit or anything, I just wanted to point it out.

-Robin
Comment 3 Robin Powell 2011-08-02 00:25:53 UTC 
For what little it's worth, my solution was to turn off in-auditd rotation entirely and do daily rotation with logrotate and a restart, but I imagine that's far more likely to lose a message or two, and that the default needs to be something that is very very unlikely to ever do that.

-Robin
Comment 4 Steve Grubb 2011-08-13 12:02:05 UTC 
Config updated:
https://fedorahosted.org/audit/changeset/558
Comment 5 Fedora Update System 2011-08-15 22:58:36 UTC 
audit-2.1.3-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/audit-2.1.3-1.fc15
Comment 6 Fedora Update System 2011-08-17 00:54:00 UTC 
Package audit-2.1.3-1.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing audit-2.1.3-1.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/audit-2.1.3-1.fc15
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-08-31 01:29:00 UTC 
audit-2.1.3-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.