Bug 130071 - (IT_66339) laus creates an ever-increasing (and never rotated/deleted) set of logfiles
laus creates an ever-increasing (and never rotated/deleted) set of logfiles
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus (Show other bugs)
3.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
Jay Turner
http://ltp.sourceforge.net/docs/rheal...
:
Depends On:
Blocks: 132991
  Show dependency treegraph
 
Reported: 2004-08-16 16:36 EDT by John Caruso
Modified: 2015-01-07 19:08 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-19 23:25:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Caruso 2004-08-16 16:36:46 EDT
Description of problem:
By default, the audit system (laus) on RHEL3 produces an ever-
increasing set of save files (/var/log/audit.d/save.X) which are 
never rotated/deleted.  This is apparently by design, as per the URL 
cited above.  RedHat should consider modifying the distributed 
audit.conf file to rectify this issue.

I consider this a bug rather than an enhancement request because it 
could potentially result in a system with a default RedHat 
installation filling up its disks.  There are several workarounds, 
but RedHat as distributed should take care of rotating/controlling 
its own logfiles.

Version-Release number of selected component (if applicable):
0.1-54RHEL3

How reproducible:
Perform a default installation of laus.
Comment 1 Sebastien BLAISOT 2004-09-10 10:20:22 EDT
same problem here. (RHEL 3.0 ES Update 3)

With a heavy loaded machine, a 5 GB /var was full in a few hours.
after the /var filesystem is full, unable to log in, and when
rebooting (with CTRL-ALT-DEL on console), had messages saying /var was
unmountable and busy.

Comment 2 Charlie Bennett 2004-09-13 16:30:16 EDT
Hi - I think we can mitigate this by writing a shim to sit between
audit.conf and audbin.  I'll post a test copy here when I get a few
cycles to get something tidy.
Comment 4 Joe Orton 2004-10-15 11:43:35 EDT
# du -sh /var/log/audit.d/
7.5G    /var/log/audit.d

this is *really* horrible considering that audit is on by default in
fresh installs.  At least, can't we add a tmpwatch run for this directory?
Comment 5 John Caruso 2004-10-15 14:43:00 EDT
Since people are having real problems with this: a workaround for 
this bug (described at 
http://ltp.sourceforge.net/docs/rheal3cu.html#Header_59) is to 
replace the "notify" command in /etc/audit/audit.conf 
with "notify=/bin/true".  We've been forced to do this on our 
systems, and it appears to be working as a stopgap way to address the 
problem.
Comment 7 Jason Vas Dias 2005-02-24 13:14:38 EST
This bug is now fixed in laus-0.1-67RHEL3, which should be in 
RHEL-3-U5, and which meanwhile can be downloaded from:
   http://people.redhat.com/~jvdias/laus/

'/usr/sbin/audbin' now has -T and -N options:

-T <threshold>
Specify  the  threshold  of  free  blocks  on the -S destination
filesystem that cannot be exceeded .  <threshold> must be a dec-
imal  number,  with  optional  fraction.   <threshold>  can be a
expressed as a percentage, in which case it must  end  with  the
’%’ character.
Examples:
-T 15000
Do  not  allow  the  number of free blocks on the -S destination
filesystem to fall below 15000 .
-T 20% Do not allow the number of free blocks  on the -S  desti-
nation  filesystem  to fall below 20% of the total blocks on the
filesystem.
If the  -N  option  is  not  specified,  and  the  threshold  is
exceeded,  audbin  will  return  an  error to auditd causing the
’output { error {’ action specified in  audit.conf  to  be  exe-
cuted.

-N <notify command>
If  the  -T threshold is going to be exceeded by creation of the
-S destination file, then the <notify command> will be run.
Occurences of the  string  %f  within  the  notify  command  are
replaced  by  the  path of the oldest file in the -S destination
directory.
Example:
-S /var/log/audit.d/save.%u -T 20% -N ’mv %f /backup’
will, when creation  of  the  new  /var/log/audit.d/save.N  file
would  cause the free blocks on the /var filesystem to amount to
less than 20% of the total  blocks,  move  the  oldest  file  in
/var/log/audit.d  with  a  name  prefixed by ’save.’ to /backup,
before attempting to create the new save.N file. If the  thresh-
old is still exceeded, the command is repeated for the next old-
est file until the disk usage is within the threshold .
If the -N command should fail (eg. in the example above, if  the
/backup filesystem is full), then audbin will return an error to
auditd causing the  ’output  {  error  {’  action  specified  in
audit.conf to be executed.


The default audit.conf now has a notify command of:
notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T
20%";

By default, this will make auditd enter "suspend mode" when the 
number of free blocks on the /var filesystem is less than 20% of the
total blocks.
Users should implement their rotation / backup policy by adding a 
'-N' option to the audbin notify command, or change the default
'output { error { action' to be something other than suspend.


Comment 8 Dennis Gregorovic 2005-05-19 23:25:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-219.html

Note You need to log in before you can comment on or make changes to this bug.