LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-20-2010, 06:00 PM   #1
jaypas
LQ Newbie
 
Registered: Jul 2010
Posts: 21

Rep: Reputation: 1
Audit daemon is not suspending when /var partition is full


Hi, all,
I ran a test where I filled up the /var partition. The disk_full_action in auditd.conf is SUSPEND. I was expecting to see a message in /var/log/messages to indicate that the audit daemon was suspended because it did not have any space left on the partition. Why didn't I get these messages? Also, how can I tell if the audit daemon is suspended?
Thanks,
Jaypas
 
Old 08-21-2010, 04:46 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
- Which distribution, release and patch version?
- Which kernel version?
- Which Auditd version?
- Which auditd.conf? ('grep -v ^# /etc/audit/auditd.conf|grep .;')
- Which /var/log/audit/audit.log messages?
- Which /var/log/messages messages?
- Which test method?

Last edited by unSpawn; 08-21-2010 at 04:49 AM.
 
Old 08-23-2010, 09:52 AM   #3
jaypas
LQ Newbie
 
Registered: Jul 2010
Posts: 21

Original Poster
Rep: Reputation: 1
The distribution is RHEL 5.4, kernel version 2.6.18-164.

The test I ran was to create a file that would fill the /var partition. And the expectation was that the audit daemon would write a message to /var/log/messages to indicate that it was suspending because it has no space left (disk_full_action=SUSPEND).

I ran this test last Thursday. And it worked ok. After I ran the test, I deleted the big file that was created to fill the /var partition.

After I deleted the big file, I thought that the audit daemon would resume working and logging auditable events. The next day (Friday), I tried to repeat the test. I created the file to fill the /var partition. I looked in /var/log/messages for the indication that the audit daemon suspended. I didn't see the message. Further investigation showed that nothing was being logged in the audit log. So, my conclusion was that it was still suspended since Thursday. I restarted the auditd. Now I'm getting events logged into the audit log. I will repeat the test. I'm pretty sure it will work.

I just have a couple of questions:
Can you explain how to find out what the auditd version is?
Also, how can I tell that auditd is suspended?

Thanks,
Jaypas
 
Old 08-23-2010, 05:30 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Quote:
Originally Posted by jaypas View Post
how can I tell that auditd is suspended?
Syslog shows the "Audit daemon has no space left on logging partition" and "Audit daemon is suspending logging due to no space left on logging partition" messages. Resuming ('man auditd') requires a 'pkill -USR2 -f auditd' after which syslog will show the "Auditd daemon is attempting to resume logging." and audit.log "auditd resuming logging, sending auid=? pid=? subj=? res=success" message.


Quote:
Originally Posted by jaypas View Post
Can you explain how to find out what the auditd version is?
'rpm -q auditd'.
 
Old 08-24-2010, 10:01 AM   #5
jaypas
LQ Newbie
 
Registered: Jul 2010
Posts: 21

Original Poster
Rep: Reputation: 1
Thanks for your help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Up2date problem /var partition full hurlant Fedora - Installation 3 08-17-2005 01:37 PM
what's audit daemon for? liyuefu Linux - General 2 06-23-2005 12:37 PM
Question about full /var partition. Allen T Linux - General 1 04-18-2003 08:36 AM
2 gig /var partition already full after 3 weeks Nigel_Tufnel Linux - General 2 02-26-2003 09:12 PM
Audit Daemon in RH 7.3 oulevon Linux - Security 1 08-06-2002 08:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration