## Description of problem: On RHVH (HE configured), sudo calls are made very 10 seconds, which spam the auditd logs - this causes them to rotate out in around 24hrs. This may not be acceptable for security conscious customers, or others that would wish to use these logs for debug, audit, or RCA purpose ## Version-Release number of selected component (if applicable): rhvh--4.2.8.5--0.20190416 (not sure when this started) ## How reproducible: Always, on HE hosts. ## Steps to Reproduce: 1. Install RHVH and configure for HostedEngine 2. Wait over 24hrs 3. check auditd logs (ausearch -ua vdsm) ## Actual results: We can generally only see about 24hrs worth of entries (on an idle system) ## Expected results: A non-RHV KVM host can have up to 4 months of auditd logs available. I do not think we we should be logging known (expected) sudo requests initiated by vdsm. ## Additional info: Non-HE hosts are not great either - my one has about 1 week worth of logs. The checks here seem to be about every 5 minutes.
Simone, might ovirt-hosted-engine-ha trigger getCapabilities frequently?
Yes, it's used in mem_load and mgmt_bridge submonitors: https://github.com/oVirt/ovirt-hosted-engine-ha/blob/master/ovirt_hosted_engine_ha/broker/submonitors/mem_load.py#L44 https://github.com/oVirt/ovirt-hosted-engine-ha/blob/master/ovirt_hosted_engine_ha/broker/submonitors/mgmt_bridge.py#L47 so 2 or 3 calls every minute sounds plausible.
Test Version rhvh-4.2.11.1-0.20190618.0 ovirt-hosted-engine-setup-2.2.34-1.el7ev.noarch ovirt-hosted-engine-ha-2.2.19-1.el7ev.noarch vdsm-4.20.49-3.el7ev.x86_64 Test Steps: 1. Install RHVH and configure for HostedEngine 2. Wait over 24hrs 3. check auditd logs (ausearch -ua vdsm) Result: Generating only about 24hrs worth of entries QE can reproduce this bug, ack+
Test Version: RHVH-4.3-20190822.2-RHVH-x86_64-dvd1.iso cockpit-195-1.el7.x86_64 cockpit-bridge-195-1.el7.x86_64 cockpit-storaged-195-1.el7.noarch cockpit-dashboard-195-1.el7.x86_64 cockpit-system-195-1.el7.noarch cockpit-ws-195-1.el7.x86_64 cockpit-machines-ovirt-195-1.el7.noarch cockpit-ovirt-dashboard-0.13.6-1.el7ev.noarch ovirt-hosted-engine-ha-2.3.5-1.el7ev.noarch ovirt-hosted-engine-setup-2.3.12-1.el7ev.noarch vdsm-4.30.29-2.el7ev.x86_64 Test Steps: According to comment 8 Result: No logging known (expected) sudo requests initiated by vdsm. bug is fixed, move status to "VERIFIED"
sync2jira
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3017