OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.
This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.
How-To-Repeat: Add the following:
...in /etc/security/audit_control as well as some expiration limit
Produce enough audit records to reach the expiration limit.
You will notice that nothing gets expired. /var/audit will grow
An alternative fix would be to change the filename length check to
if (dp->d_namlen < (FILENAME_LEN - 1) ||
In that case the expiration routine would expire also trails without
"host" part after the "host" parameter has been added to audit_control,
and if the "host" parameter has been changed so that it has a
different length than previously.
Up to the maintainer to decide which matching method is better.
I would probably go with this one instead of my original patch.
Janne Snabb / EPIPE Communications
email@example.com - http://epipe.com/
For bugs matching the following criteria:
Status: In Progress Changed: (is less than) 2014-06-01
Reset to default assignee and clear in-progress tags.
Mail being skipped