From owner-freebsd-security@freebsd.org  Sat Jan  9 23:01:02 2016
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95577A6ABC7
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Sat,  9 Jan 2016 23:01:02 +0000 (UTC) (envelope-from lev@FreeBSD.org)
Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru
 [IPv6:2a01:4f8:131:60a2::2])
 by mx1.freebsd.org (Postfix) with ESMTP id 6291D174F
 for <freebsd-security@freebsd.org>; Sat,  9 Jan 2016 23:01:02 +0000 (UTC)
 (envelope-from lev@FreeBSD.org)
Received: from lion.home.serebryakov.spb.ru (unknown
 [IPv6:2001:470:923f:1:88ce:dbff:dc03:12da])
 (Authenticated sender: lev@serebryakov.spb.ru)
 by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 05D905A81
 for <freebsd-security@freebsd.org>; Sun, 10 Jan 2016 02:00:59 +0300 (MSK)
Date: Sun, 10 Jan 2016 02:00:52 +0300
From: Lev Serebryakov <lev@FreeBSD.org>
Reply-To: Lev Serebryakov <lev@FreeBSD.org>
Organization: FreeBSD
X-Priority: 3 (Normal)
Message-ID: <824588148.20160110020045@serebryakov.spb.ru>
To: freebsd-security@freebsd.org
Subject: Size of audit trace files: something changed between
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg="pgp-sha512"; boundary="----------0430E12550074B4F8"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jan 2016 23:01:02 -0000

------------0430E12550074B4F8
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hello Freebsd-security,

  I have /etc/security/audit_control configured to have 200M trace files and
 "audit -n" is scheduled to run twice a day, at 00:00 and 12:00. Old trace
 files looks Ok (it is November 2015):

-r--r-----  1 root        audit  209715488 Nov 16 19:05 20151116090000.2015=
1116160510.46.4.40.135
-r--r-----  1 root        audit  209716086 Nov 16 20:58 20151116160510.2015=
1116175847.46.4.40.135

 It could be seen, that these files ate rotated at 200M boundary.

 And latest files are rotated very (too!) often:

-r--r-----  1 root        audit     102083 Jan  9 21:50 20160109185013.2016=
0109185043.46.4.40.135
-r--r-----  1 root        audit     471138 Jan  9 21:51 20160109185043.2016=
0109185115.46.4.40.135
-r--r-----  1 root        audit     283454 Jan  9 21:51 20160109185115.2016=
0109185145.46.4.40.135
-r--r-----  1 root        audit     189662 Jan  9 21:52 20160109185145.2016=
0109185215.46.4.40.135

 Small files are rotated evry 30 seconds (!). It is very inconvenient, as
there are A LOT of these small files!

 System is FreeBSD 10.2-STABLE #1 r286784: Fri Aug 14 21:40:59 MSK 2015, so
looks like it is not regression in system, as November traces are Ok!

--=20
Best regards,
 Lev                          mailto:lev@FreeBSD.org
------------0430E12550074B4F8
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJWkZEkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePVcYQAM2D3BOQIAdpQwd4shT4UNz7
YmGhjYf7xpraofsNCSY31ZgoCmIDZ+yQRzny7sUYUGqwIX21GWTVzjVhYp42oCY5
zg+wDdknvoBsFS3/LN+yFVUXPhVLGisoWVAM1kQnFccPTu/4osCGFsqdiCNPrDJL
b2kuNv98F2GINBHLedzUEjuFfNoEHX+9ej36LLoYIeG8OG+oapr31E8gsjMn3vAI
h0uSIx72V7xQAhM7PGyJBTL8jiHRINTu6VFetrM9WN16PwsdRQmkqyX3s0CUviB/
tFDFV1FWF/SgLhaI5411EuNVaLyiiyrBv2HdKIU4+emFavWKxas3nMOAPqUUo2Z2
sBLeJk/nF1RQMQzMpJ6DC232fuNqL11qTHucBtRPVeiiO4MMYppQQBcrJWrtPvrI
2UgIc/74wY5FwMXrEr5XqwfrO0haWj39t822+gq11/pEBpT7/g0spmkjSTKhj1of
2Ja0I2Ja4X0nE5qX42RPy4vsBb+CHUA/xZaHm2mI9OYEPmuyiWKA8i6ZjaHZt6ZG
asoc8n5L7jf86tp3ggVrJkxWm278fepG2yH/xexX3UzgcHeomuKYv0/gxH1XIUfU
A9F7WvxmUAtHpH7pmNOUD8ARxQU2++2crVfB6GYbA4a+pssKfPizQziqIOt7seID
lN4jj/U6FgY1JvCRlAMA
=TQTp
-----END PGP MESSAGE-----

------------0430E12550074B4F8--