Description of problem: By default, the audit system (laus) on RHEL3 produces an ever- increasing set of save files (/var/log/audit.d/save.X) which are never rotated/deleted. This is apparently by design, as per the URL cited above. RedHat should consider modifying the distributed audit.conf file to rectify this issue. I consider this a bug rather than an enhancement request because it could potentially result in a system with a default RedHat installation filling up its disks. There are several workarounds, but RedHat as distributed should take care of rotating/controlling its own logfiles. Version-Release number of selected component (if applicable): 0.1-54RHEL3 How reproducible: Perform a default installation of laus.
same problem here. (RHEL 3.0 ES Update 3) With a heavy loaded machine, a 5 GB /var was full in a few hours. after the /var filesystem is full, unable to log in, and when rebooting (with CTRL-ALT-DEL on console), had messages saying /var was unmountable and busy.
Hi - I think we can mitigate this by writing a shim to sit between audit.conf and audbin. I'll post a test copy here when I get a few cycles to get something tidy.
# du -sh /var/log/audit.d/ 7.5G /var/log/audit.d this is *really* horrible considering that audit is on by default in fresh installs. At least, can't we add a tmpwatch run for this directory?
Since people are having real problems with this: a workaround for this bug (described at http://ltp.sourceforge.net/docs/rheal3cu.html#Header_59) is to replace the "notify" command in /etc/audit/audit.conf with "notify=/bin/true". We've been forced to do this on our systems, and it appears to be working as a stopgap way to address the problem.
This bug is now fixed in laus-0.1-67RHEL3, which should be in RHEL-3-U5, and which meanwhile can be downloaded from: http://people.redhat.com/~jvdias/laus/ '/usr/sbin/audbin' now has -T and -N options: -T <threshold> Specify the threshold of free blocks on the -S destination filesystem that cannot be exceeded . <threshold> must be a dec- imal number, with optional fraction. <threshold> can be a expressed as a percentage, in which case it must end with the â%â character. Examples: -T 15000 Do not allow the number of free blocks on the -S destination filesystem to fall below 15000 . -T 20% Do not allow the number of free blocks on the -S desti- nation filesystem to fall below 20% of the total blocks on the filesystem. If the -N option is not specified, and the threshold is exceeded, audbin will return an error to auditd causing the âoutput { error {â action specified in audit.conf to be exe- cuted. -N <notify command> If the -T threshold is going to be exceeded by creation of the -S destination file, then the <notify command> will be run. Occurences of the string %f within the notify command are replaced by the path of the oldest file in the -S destination directory. Example: -S /var/log/audit.d/save.%u -T 20% -N âmv %f /backupâ will, when creation of the new /var/log/audit.d/save.N file would cause the free blocks on the /var filesystem to amount to less than 20% of the total blocks, move the oldest file in /var/log/audit.d with a name prefixed by âsave.â to /backup, before attempting to create the new save.N file. If the thresh- old is still exceeded, the command is repeated for the next old- est file until the disk usage is within the threshold . If the -N command should fail (eg. in the example above, if the /backup filesystem is full), then audbin will return an error to auditd causing the âoutput { error {â action specified in audit.conf to be executed. The default audit.conf now has a notify command of: notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%"; By default, this will make auditd enter "suspend mode" when the number of free blocks on the /var filesystem is less than 20% of the total blocks. Users should implement their rotation / backup policy by adding a '-N' option to the audbin notify command, or change the default 'output { error { action' to be something other than suspend.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-219.html