Bug 1704500 - auditd logs full of sudo events from vdsm
Summary: auditd logs full of sudo events from vdsm
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-hosted-engine-ha
Version: 4.2.8-4
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ovirt-4.3.6
: 4.3.6
Assignee: Simone Tiraboschi
QA Contact: Wei Wang
URL:
Whiteboard:
Depends On:
Blocks: 1734476
TreeView+ depends on / blocked
 
Reported: 2019-04-30 00:29 UTC by Marcus West
Modified: 2019-10-10 15:38 UTC (History)
18 users (show)

Fixed In Version: ovirt-hosted-engine-ha-2.3.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-10 15:38:05 UTC
oVirt Team: Integration
Target Upstream Version:
Embargoed:
weiwang: testing_plan_complete+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3017 0 None None None 2019-10-10 15:38:07 UTC
oVirt gerrit 101266 0 'None' MERGED Avoid calling getCapabilities in the monitors 2020-07-05 23:56:58 UTC
oVirt gerrit 102268 0 'None' MERGED Avoid calling getCapabilities in the monitors 2020-07-05 23:56:58 UTC

Description Marcus West 2019-04-30 00:29:20 UTC
## Description of problem:

On RHVH (HE configured), sudo calls are made very 10 seconds, which spam the auditd logs - this causes them to rotate out in around 24hrs.  This may not be acceptable for security conscious customers, or others that would wish to use these logs for debug, audit, or RCA purpose

## Version-Release number of selected component (if applicable):

rhvh--4.2.8.5--0.20190416 (not sure when this started)

## How reproducible:

Always, on HE hosts.

## Steps to Reproduce:
1. Install RHVH and configure for HostedEngine
2. Wait over 24hrs
3. check auditd logs (ausearch -ua vdsm)

## Actual results:

We can generally only see about 24hrs worth of entries (on an idle system)

## Expected results:

A non-RHV KVM host can have up to 4 months of auditd logs available.  I do not think we we should be logging known (expected) sudo requests initiated by vdsm.

## Additional info:

Non-HE hosts are not great either - my one has about 1 week worth of logs.  The checks here seem to be about every 5 minutes.

Comment 5 Dominik Holler 2019-05-10 08:04:11 UTC
Simone, might ovirt-hosted-engine-ha trigger getCapabilities frequently?

Comment 8 Wei Wang 2019-07-31 09:43:57 UTC
Test Version
rhvh-4.2.11.1-0.20190618.0
ovirt-hosted-engine-setup-2.2.34-1.el7ev.noarch
ovirt-hosted-engine-ha-2.2.19-1.el7ev.noarch
vdsm-4.20.49-3.el7ev.x86_64

Test Steps:
1. Install RHVH and configure for HostedEngine
2. Wait over 24hrs
3. check auditd logs (ausearch -ua vdsm)

Result:
Generating only about 24hrs worth of entries

QE can reproduce this bug, ack+

Comment 10 Wei Wang 2019-08-23 07:48:43 UTC
Test Version:
RHVH-4.3-20190822.2-RHVH-x86_64-dvd1.iso
cockpit-195-1.el7.x86_64
cockpit-bridge-195-1.el7.x86_64
cockpit-storaged-195-1.el7.noarch
cockpit-dashboard-195-1.el7.x86_64
cockpit-system-195-1.el7.noarch
cockpit-ws-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-ovirt-dashboard-0.13.6-1.el7ev.noarch
ovirt-hosted-engine-ha-2.3.5-1.el7ev.noarch
ovirt-hosted-engine-setup-2.3.12-1.el7ev.noarch
vdsm-4.30.29-2.el7ev.x86_64

Test Steps:
According to comment 8

Result:
No logging known (expected) sudo requests initiated by vdsm.


bug is fixed, move status to "VERIFIED"

Comment 11 Daniel Gur 2019-08-28 13:15:29 UTC
sync2jira

Comment 12 Daniel Gur 2019-08-28 13:21:17 UTC
sync2jira

Comment 14 errata-xmlrpc 2019-10-10 15:38:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3017


Note You need to log in before you can comment on or make changes to this bug.