audit-userspace icon indicating copy to clipboard operation
audit-userspace copied to clipboard

Published 20 hours ago verified publisher icon linux-audit

consider max_log_file == 0 as unlimited

Open ematsumiya opened this issue 3 years ago • 8 comments

If config file has, for example:

max_log_file = 0 # or unset max_log_file_action = ROTATE # or KEEP_LOGS num_logs = 100

auditd will rotate the logs with a single event on it, sometimes even with no events at all, creating @num_logs rotated logs on disk.

If both max_log_file and num_logs are 0 or unset, this bug doesn't happen; a single log file is created and appended to indefinitely.

This patch makes auditd consider that when max_log_file is 0 or unset in the config file, the log file shall grow unlimitedly, leaving any size checks and actions for space_left/disk_full, just as the situation mentioned right above.

Signed-off-by: Enzo Matsumiya [email protected]

ematsumiya avatar Feb 03 '22 00:02 ematsumiya

@stevegrubb got a chance to review this one? Thanks!

ematsumiya avatar Apr 06 '22 16:04 ematsumiya

Ping.

ematsumiya avatar May 05 '22 20:05 ematsumiya

Normally when we change a behavior like this, we need to also update the man page entry for the config item.

stevegrubb avatar May 26 '22 21:05 stevegrubb

Looking through the code, don't you get the same effect with: max_log_file_action = ignore ?

stevegrubb avatar May 26 '22 21:05 stevegrubb

@stevegrubb Yes, you're right. As stated in the commit message, this only occurs with those setting combinations. Our customer simply removed the "max_log_file" line from the default auditd.conf and expected that there would be no logfile size checks, hence this patch. So effectively, yes, this patch makes "max_log_file = 0" or an auditd.conf without a max_log_file entry act like "max_log_file_action = ignore".

I'll can update man page if this is approved. Thanks.

ematsumiya avatar May 26 '22 21:05 ematsumiya

Well, I'd rather not want make 2 ways to do the same thing. It gets confusing for people. For example, we used to allow any order for the filter and action in audit rules: -a exit,always -a always,exit. It really didn't matter. But it confused people. They didn't understand order didn't matter. They wanted one way to do it so they know the syntax is right. So, I locked it down and confusion went away.

stevegrubb avatar May 27 '22 18:05 stevegrubb

I think it's time to close this out. Thanks for pointing out this issue. Do you think we should amend the documentation to better highlight the max_log_file_action = ignore way to let logs grow unconditionally?

stevegrubb avatar Aug 01 '22 18:08 stevegrubb

I think it's time to close this out. Thanks for pointing out this issue. Do you think we should amend the documentation to better highlight the max_log_file_action = ignore way to let logs grow unconditionally?

That would be good, thanks. Feel free to close this.

ematsumiya avatar Aug 01 '22 19:08 ematsumiya