Bug 191476 - user root can't login
user root can't login
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2006-05-12 08:07 EDT by Peter Schoenholzer
Modified: 2015-01-07 19:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-06-07 17:52:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Schoenholzer 2006-05-12 08:07:44 EDT
Description of problem:

The partition /var on the server is about 84% full.
All aplikation works fine.
The user root can't login.
After a power off and on the server starts and works fine.
User root can login.

In the file /var/log/messages i see:

May  5 21:47:03 dominica modprobe: modprobe: Can't locate module block-major-111
May  5 21:47:03 dominica last message repeated 15 times
May  6 07:50:11 dominica audbin[20748]: saving binary audit 
log /var/log/audit.d/bin.1
May  6 07:50:11 dominica audbin[20748]: threshold 20.00 exceeded for 
filesystem /var/log/audit.d/. - free blocks down to 18.49%
May  6 07:50:11 dominica auditd[1057]: Notify command /usr/sbin/audbin -
S /var/log/audit.d/save.%u -C -T 20% exited with status 1
May  6 07:50:11 dominica auditd[1057]: output error
May  6 07:50:11 dominica auditd[1057]: output error
May  6 07:50:11 dominica auditd[1057]: output error; suspending execution
May  8 08:38:56 dominica syslogd 1.4.1: restart.
May  8 08:38:56 dominica syslog: syslogd startup succeeded
May  8 08:38:56 dominica kernel: klogd 1.4.1, log source = /proc/kmsg started.

Version-Release number of selected component (if applicable):

How reproducible:

I see the Problem on two machines in one week

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Jason Vas Dias 2006-06-07 17:52:26 EDT
The Linux AUdit Subsystem (LAuS) was enabled by default for RHEL-3 systems 
pre-U5, which in retrospect appears to have been a mistake - systems 
clean-installed from a RHEL-3-U5 or later do not have the audit system 
enabled by default.

The 'audit' service will maintain logs of all auditable events and system calls
occuring on the system in /var/log/audit.d/* . 

Once the free disk space under /var/log/audit.d/ falls below a threshold 
configurable in /etc/audit/audit.conf:
  notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%";
audit will be unable to create further disk logs and will enter the state
configurable in /etc/audit.conf, which is by default:
       error {
                action {
                        type = suspend;
You can stop LAuS putting the system into suspend mode when it is unable 
to write audit logs by removing the 'action { type=suspend; }' clause 

If you do not want to enable auditing on your system, then simply:
  # chkconfig --level=0123456 audit off
and reboot; no more logs will be created and nothing else depends 
on audit being enabled - this is the default for post-U5 clean-installed

Or, if you want to continue running with audit enabled, you can adjust the
threshold in /etc/audit/audit.conf:
  notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 1%";
or make audbin delete the old log files by default so that the default is
never reached:
  notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 10% \
                     -N '/bin/rm -f %f'
or move old log files to a different location:
   notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 10% \
                     -N '/bin/mv -f %f /another_partition/'
or process old log files with some script:
   notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 10% \
                     -N '/bin/my_audit_log_rotation_script %f'

Systems which are to be audited must not allow the system to be used if 
auditing is not possible - this is demanded by the audited system 
certification requirements, and is the way LAuS is designed to operate.

You do not need to enable audit by default - if you don't require auditing,
just disable the 'audit' service as described above.

If you do enable auditing, you need to configure a mechanism for rotation
of log files so that the audit logs do not exhaust the free space on the
audit log directory partition. As shown above, LAuS provides many flexible
mechanisms with which to do this, which are fully documented in the man-pages
: audit.conf(5), audit(4), laus(7), audbin(1) .

Hence, this is 'NOTABUG' - the audit daemon was only doing what it was
told to do by the site configuration and was behaving as designed.

Note You need to log in before you can comment on or make changes to this bug.