usg-cisbenchmark: auditd shuts down machine if disk is full but there's no retention set
Bug #1878773 reported by
Gábor Mészáros
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Security Certifications |
Opinion
|
Wishlist
|
Richard Maciel Costa |
Bug Description
According to usg-cisbenchmark Section 4, it is required to power off nodes when disk runs out of space.
Currently the audit partition will eventually filled up by storing logs there, as there is no retention set to rotate/
It exposes a risk that nodes will go down with no apparent reason (hard to check df or logs if the machine powers off right after boot).
Suggestion is to use logrotate or custom cron.d to limit exposure to this issue.
Changed in ubuntu-security-certifications: | |
assignee: | nobody → Richard Maciel Costa (richardmaciel) |
Changed in ubuntu-security-certifications: | |
status: | New → Incomplete |
To post a comment you must log in.
Rule 4.1.1.1 configures the max audit log file size. After it reaches that size, audit logs get rotated, according to the max_log_file_action parameter (also set by rule 4.1.1.1).
Now, the log from rsyslogd is rotated per /etc/logrotate. d/rsyslog configuration file. That file is provided by the rsyslog package.
So based on those two facts, looks like the suggestions provided by the bug reporter are already in place. If that isn't the case, please provide more information.