Red Hat Bugzilla – Bug 715315
Audit remote client gets disk_error event from an auditd server instead of disk_full
Last modified: 2012-08-08 14:29:11 EDT
Description of problem:
Audit remote client gets disk_error event ack from the server when the disk is full on the server. This way the disk_error_action will be executed instead of configured disk_full_action.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. simulate full disk for audit.log to trigger disk_full_action
2. auditctl -m "we want to trigger disk_full_action"
disk_error_action is used instead of disk_full_action
disk_full_action shoudl be triggered as configured
I believe the problem is in write_to_log() function from src/auditd-event.c if statement (saved_errno == ENOSPC && fs_space_left == 1) where it fails on fs_space_left=0 and does not get to do_disk_full_action().
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update release.
This was addressed in audit-2.1.3-1.el6
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.