Date: Sun, 10 Jan 2016 02:00:52 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: freebsd-security@freebsd.org Subject: Size of audit trace files: something changed between Message-ID: <824588148.20160110020045@serebryakov.spb.ru>
next in thread | raw e-mail | index | archive | help
------------0430E12550074B4F8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello Freebsd-security, I have /etc/security/audit_control configured to have 200M trace files and "audit -n" is scheduled to run twice a day, at 00:00 and 12:00. Old trace files looks Ok (it is November 2015): -r--r----- 1 root audit 209715488 Nov 16 19:05 20151116090000.2015= 1116160510.46.4.40.135 -r--r----- 1 root audit 209716086 Nov 16 20:58 20151116160510.2015= 1116175847.46.4.40.135 It could be seen, that these files ate rotated at 200M boundary. And latest files are rotated very (too!) often: -r--r----- 1 root audit 102083 Jan 9 21:50 20160109185013.2016= 0109185043.46.4.40.135 -r--r----- 1 root audit 471138 Jan 9 21:51 20160109185043.2016= 0109185115.46.4.40.135 -r--r----- 1 root audit 283454 Jan 9 21:51 20160109185115.2016= 0109185145.46.4.40.135 -r--r----- 1 root audit 189662 Jan 9 21:52 20160109185145.2016= 0109185215.46.4.40.135 Small files are rotated evry 30 seconds (!). It is very inconvenient, as there are A LOT of these small files! System is FreeBSD 10.2-STABLE #1 r286784: Fri Aug 14 21:40:59 MSK 2015, so looks like it is not regression in system, as November traces are Ok! --=20 Best regards, Lev mailto:lev@FreeBSD.org ------------0430E12550074B4F8 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJWkZEkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePVcYQAM2D3BOQIAdpQwd4shT4UNz7 YmGhjYf7xpraofsNCSY31ZgoCmIDZ+yQRzny7sUYUGqwIX21GWTVzjVhYp42oCY5 zg+wDdknvoBsFS3/LN+yFVUXPhVLGisoWVAM1kQnFccPTu/4osCGFsqdiCNPrDJL b2kuNv98F2GINBHLedzUEjuFfNoEHX+9ej36LLoYIeG8OG+oapr31E8gsjMn3vAI h0uSIx72V7xQAhM7PGyJBTL8jiHRINTu6VFetrM9WN16PwsdRQmkqyX3s0CUviB/ tFDFV1FWF/SgLhaI5411EuNVaLyiiyrBv2HdKIU4+emFavWKxas3nMOAPqUUo2Z2 sBLeJk/nF1RQMQzMpJ6DC232fuNqL11qTHucBtRPVeiiO4MMYppQQBcrJWrtPvrI 2UgIc/74wY5FwMXrEr5XqwfrO0haWj39t822+gq11/pEBpT7/g0spmkjSTKhj1of 2Ja0I2Ja4X0nE5qX42RPy4vsBb+CHUA/xZaHm2mI9OYEPmuyiWKA8i6ZjaHZt6ZG asoc8n5L7jf86tp3ggVrJkxWm278fepG2yH/xexX3UzgcHeomuKYv0/gxH1XIUfU A9F7WvxmUAtHpH7pmNOUD8ARxQU2++2crVfB6GYbA4a+pssKfPizQziqIOt7seID lN4jj/U6FgY1JvCRlAMA =TQTp -----END PGP MESSAGE----- ------------0430E12550074B4F8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?824588148.20160110020045>