Problems with Audit

I did some digging on the problem I reported in this thread http://www.interworx.com/forums/showthread.php?t=1146

I checked the var/log/audit.d directory and there were a few thousand 20mb save.* files which had basically filled up almost my entire disk space. ( > 50 gig worth)

I found this bug report at redhat https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130071

The audit was being suspended as per the updates required with this command

“/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%”

Which suspends audit, but it aparently also suspends cron execution when it happens also…

Any idea how I can turn this off completely?

You can just remove audit from the system bluesin:

yum remove autit

should do it.

Chris

Thanks chris, do you see any area where I would need it? And would it possibly get reinstalled with an update?

We usually remove audit from our boxes, it’s resource intensive and as you saw can eat up some disk space too :). If you remove it yum won’t update (re-add) it later on.

Chris

Is that the name of it, or is it laus, I get no matches for audit…

Do a:

rpm -qa | grep audit

and you’ll get a list of most/all things related to the audit subsystem.

Chris

Nothing for audit, do get it for “laus”

Chris, in the audit.conf file,

I changed this

notify = “/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%”;

to this
notify = “/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 99% -N ‘rm -f %f’”;

Which should delete the latest save file, I also removed the “type = suspend” action from the action list which should keep it from suspending audit, as my disk is definately more than 1% used…

I think that should work…

What distro are you running bluesin?

Red Hat Enterprise Linux ES release 3 (Taroon Update 4)…

FYI, for anyone interested, I just changed this to

notify = “/usr/sbin/audbin -C”

Which just clears the audit log file without saving it at all…