Description of problem: When auditd suspend logging by admin_space_left_action, auditd does not recover from suspend even after delete files in partition and enough free disk space. Version-Release number of selected component (if applicable): audit-1.0.15-3.EL4 audit-libs-devel-1.0.5-3.EL4 audit-libs-1.0.15-3.EL4 How reproducible: make a junk file to use disk space near to admin_space_left limit is active. Do something to create audit log. Wait a minutes for logging to be suspended. auditd claims 'Audit daemon is suspending logging due to no space left on logging partition'. After then, you can see deleting junk file, and 'service auditd reload' doesn't affect the suspend status. Steps to Reproduce: 1. set admin_space_left_action=SUSPEND in /etc/auditd.conf 2. while [ 0 ]; do date > /dev/null ; done 3. tail -f /var/log/messages 4. after find suspend message, try some. Actual results: There isn't good way to recover from suspend. Expected results: Some signal or changing of partition free size should be a chance to restart logging.
easy fix, scheduling for 4.7.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
audit-1.0.16-1 was built to solve this problem.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0731.html