Bug 130071 (IT_66339) - laus creates an ever-increasing (and never rotated/deleted) set of logfiles
Summary: laus creates an ever-increasing (and never rotated/deleted) set of logfiles
Keywords:
Status: CLOSED ERRATA
Alias: IT_66339
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus
Version: 3.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact: Jay Turner
URL: http://ltp.sourceforge.net/docs/rheal...
Whiteboard:
Depends On:
Blocks: 132991
TreeView+ depends on / blocked
 
Reported: 2004-08-16 20:36 UTC by John Caruso
Modified: 2015-01-08 00:08 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-05-20 03:25:51 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:219 normal SHIPPED_LIVE laus bug fix update 2005-05-19 04:00:00 UTC

Description John Caruso 2004-08-16 20:36:46 UTC
Description of problem:
By default, the audit system (laus) on RHEL3 produces an ever-
increasing set of save files (/var/log/audit.d/save.X) which are 
never rotated/deleted.  This is apparently by design, as per the URL 
cited above.  RedHat should consider modifying the distributed 
audit.conf file to rectify this issue.

I consider this a bug rather than an enhancement request because it 
could potentially result in a system with a default RedHat 
installation filling up its disks.  There are several workarounds, 
but RedHat as distributed should take care of rotating/controlling 
its own logfiles.

Version-Release number of selected component (if applicable):
0.1-54RHEL3

How reproducible:
Perform a default installation of laus.

Comment 1 Sebastien BLAISOT 2004-09-10 14:20:22 UTC
same problem here. (RHEL 3.0 ES Update 3)

With a heavy loaded machine, a 5 GB /var was full in a few hours.
after the /var filesystem is full, unable to log in, and when
rebooting (with CTRL-ALT-DEL on console), had messages saying /var was
unmountable and busy.



Comment 2 Charlie Bennett 2004-09-13 20:30:16 UTC
Hi - I think we can mitigate this by writing a shim to sit between
audit.conf and audbin.  I'll post a test copy here when I get a few
cycles to get something tidy.

Comment 4 Joe Orton 2004-10-15 15:43:35 UTC
# du -sh /var/log/audit.d/
7.5G    /var/log/audit.d

this is *really* horrible considering that audit is on by default in
fresh installs.  At least, can't we add a tmpwatch run for this directory?

Comment 5 John Caruso 2004-10-15 18:43:00 UTC
Since people are having real problems with this: a workaround for 
this bug (described at 
http://ltp.sourceforge.net/docs/rheal3cu.html#Header_59) is to 
replace the "notify" command in /etc/audit/audit.conf 
with "notify=/bin/true".  We've been forced to do this on our 
systems, and it appears to be working as a stopgap way to address the 
problem.


Comment 7 Jason Vas Dias 2005-02-24 18:14:38 UTC
This bug is now fixed in laus-0.1-67RHEL3, which should be in 
RHEL-3-U5, and which meanwhile can be downloaded from:
   http://people.redhat.com/~jvdias/laus/

'/usr/sbin/audbin' now has -T and -N options:

-T <threshold>
Specify  the  threshold  of  free  blocks  on the -S destination
filesystem that cannot be exceeded .  <threshold> must be a dec-
imal  number,  with  optional  fraction.   <threshold>  can be a
expressed as a percentage, in which case it must  end  with  the
â%â character.
Examples:
-T 15000
Do  not  allow  the  number of free blocks on the -S destination
filesystem to fall below 15000 .
-T 20% Do not allow the number of free blocks  on the -S  desti-
nation  filesystem  to fall below 20% of the total blocks on the
filesystem.
If the  -N  option  is  not  specified,  and  the  threshold  is
exceeded,  audbin  will  return  an  error to auditd causing the
âoutput { error {â action specified in  audit.conf  to  be  exe-
cuted.

-N <notify command>
If  the  -T threshold is going to be exceeded by creation of the
-S destination file, then the <notify command> will be run.
Occurences of the  string  %f  within  the  notify  command  are
replaced  by  the  path of the oldest file in the -S destination
directory.
Example:
-S /var/log/audit.d/save.%u -T 20% -N âmv %f /backupâ
will, when creation  of  the  new  /var/log/audit.d/save.N  file
would  cause the free blocks on the /var filesystem to amount to
less than 20% of the total  blocks,  move  the  oldest  file  in
/var/log/audit.d  with  a  name  prefixed by âsave.â to /backup,
before attempting to create the new save.N file. If the  thresh-
old is still exceeded, the command is repeated for the next old-
est file until the disk usage is within the threshold .
If the -N command should fail (eg. in the example above, if  the
/backup filesystem is full), then audbin will return an error to
auditd causing the  âoutput  {  error  {â  action  specified  in
audit.conf to be executed.


The default audit.conf now has a notify command of:
notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T
20%";

By default, this will make auditd enter "suspend mode" when the 
number of free blocks on the /var filesystem is less than 20% of the
total blocks.
Users should implement their rotation / backup policy by adding a 
'-N' option to the audbin notify command, or change the default
'output { error { action' to be something other than suspend.




Comment 8 Dennis Gregorovic 2005-05-20 03:25:51 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-219.html



Note You need to log in before you can comment on or make changes to this bug.