OpenStack-Ansible

rsyslog generates a lot of audit events

Bug #1577448 reported by Major Hayden
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Major Hayden

Bug Description

When deploying OSA with the security role enabled, the audit system logs lots of events about failed file accesses because of how rsyslog checks for existing files. This auditd rule should be disabled and deployers should have the opportunity to enable it.

Documentation should also be updated.

Major Hayden (rackerhacker)
Changed in openstack-ansible:
assignee: nobody → Major Hayden (rackerhacker)
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (master)

Fix proposed to branch: master
Review: https://review.openstack.org/311776

Changed in openstack-ansible:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (master)

Reviewed: https://review.openstack.org/311776
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=77b8b456ad5a47f82a374c6c2f868191f3507ab0
Submitter: Jenkins
Branch: master

commit 77b8b456ad5a47f82a374c6c2f868191f3507ab0
Author: Major Hayden <email address hidden>
Date: Mon May 2 20:21:58 2016 -0500

    Disable failed access auditd logging

    By default, the security role enables audit logging for failed file
    accesses. This causes lots of log lines due to the way that rsyslog
    looks for existing log files on the system.

    This patch disables the auditd rule by default and adds documentation
    for deployers so they know how to opt-in to the change.

    Release notes are included.

    Closes-bug: 1577448

    Change-Id: I9ce4a208f5b9f28a1f317cb25a8114b902f5cabb

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/312074

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-security (liberty)

Fix proposed to branch: liberty
Review: https://review.openstack.org/312075

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (stable/mitaka)

Reviewed: https://review.openstack.org/312074
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=c1b159c21ea6f24815b5bf49b2bb036137a56fd1
Submitter: Jenkins
Branch: stable/mitaka

commit c1b159c21ea6f24815b5bf49b2bb036137a56fd1
Author: Major Hayden <email address hidden>
Date: Tue May 3 10:45:33 2016 -0500

    Disable failed access auditd logging

    By default, the security role enables audit logging for failed file
    accesses. This causes lots of log lines due to the way that rsyslog
    looks for existing log files on the system.

    This patch disables the auditd rule by default and adds documentation
    for deployers so they know how to opt-in to the change.

    Release notes are included.

    Includes a fix from master to improve the documentation as well:
      https://review.openstack.org/#/c/312103/

    Closes-bug: 1577448

    Change-Id: I9ce4a208f5b9f28a1f317cb25a8114b902f5cabb
    (cherry picked from commit 77b8b456ad5a47f82a374c6c2f868191f3507ab0)

tags: added: in-stable-mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-security (liberty)

Reviewed: https://review.openstack.org/312075
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=8db2a8265abf470e753980849376a973507029dc
Submitter: Jenkins
Branch: liberty

commit 8db2a8265abf470e753980849376a973507029dc
Author: Major Hayden <email address hidden>
Date: Tue May 3 10:03:39 2016 -0500

    Disable failed access auditd logging

    By default, the security role enables audit logging for failed file
    accesses. This causes lots of log lines due to the way that rsyslog
    looks for existing log files on the system.

    This patch disables the auditd rule by default and adds documentation
    for deployers so they know how to opt-in to the change.

    Release notes are included.

    Includes a fix from master to improve the documentation as well:
      https://review.openstack.org/#/c/312103/

    Closes-bug: 1577448

    Change-Id: I9ce4a208f5b9f28a1f317cb25a8114b902f5cabb
    (cherry picked from commit 77b8b456ad5a47f82a374c6c2f868191f3507ab0)

tags: added: in-liberty
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible-security 12.0.13

This issue was fixed in the openstack/openstack-ansible-security 12.0.13 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/openstack-ansible-security 13.1.1

This issue was fixed in the openstack/openstack-ansible-security 13.1.1 release.

Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/openstack-ansible-security 14.0.0.0b1

This issue was fixed in the openstack/openstack-ansible-security 14.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.