search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.6k stars 13.76k forks source link

audit.log rotation #44059

Open coretemp opened 6 years ago

coretemp commented 6 years ago

Issue description

It seems that the NixOS module doesn't export an option to configure rotation of /var/log/audit/audit.log in order to avoid server crashes due to out of disk space errors (or to use something different than the default (which on Red Hat apparently is 6MB)). Is that correct?

Technical details

Any NixOS version

aanderse commented 5 years ago

@coretemp I'm assuming you setup rsyslog or something? Coming from any other distro this can be a bit of a surprise when you see logs continually grow...

Generally the answer is that applications should be switched to log to journald, but in the case of rsyslog obviously that isn't the answer.

I'm putting some thought into this, hopefully for 19.03

https://discourse.nixos.org/t/nixos-19-03-feature-freeze/1950/6?u=aanderse

stale[bot] commented 4 years ago

Thank you for your contributions.

This has been automatically marked as stale because it has had no activity for 180 days.

If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.

Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse.
  3. Ask on the #nixos channel on irc.freenode.net.
ljxfstorm commented 3 months ago

This issue remains in version 24.05. The auditd service enabled by security.auditd.enable is shipped without a config file (Config file /etc/audit/auditd.conf doesn't exist, skipping). As a result, it outputs logs to the default path /var/log/audit/audit.log without any log rotation, which will take up a lot of disk space over time. Additionally, there are no other options available for auditd except enable to change its behavior.

aanderse commented 3 months ago

without any log rotation

as far as i understand the log will be rotated at something like 6mb (according to upstream docs and RHEL sources i searched)

that being said, though, this module could benefit from a settings option which allows the user to more easily configure the software

@ljxfstorm do you use this nixos module? and are you interested in enhancing it?

ljxfstorm commented 3 months ago

I have a continuously running VPS on NixOS 23.11 with security.auditd.enable = true since November 2023, and I found that the /var/log/audit/audit.log took up over 10GB last week after I upgraded it to 24.05. That's why I brought up this issue. If I'm not misunderstanding, according to src/auditd-event.c@audit-3.1.2, log rotation will occur only when config->num_logs > 1, and according to src/auditd-config.c@audit-3.1.2, the default value of config->num_logs is 0L. Therefore, the default action of auditd without a config file is no log rotation, and it's barely usable.

@ljxfstorm do you use this nixos module? and are you interested in enhancing it?

I'm not a heavy Nix user; I use NixOS as an easy-to-migrate solution for VPS and am not capable of contributing to nixpkgs currently. Maybe I'll enhance it someday, but I'm hoping someone can fix it sooner.

aanderse commented 3 months ago

thanks for the info

leave it with me, i'll try to put this at a reasonable priority on my queue

aanderse commented 3 months ago

i had a chance to look into this a little bit the other night

the audit package has had a major version bump and appears to require a few changes... i suggest we entirely overhaul the services.audit and services.auditd modules and merge them into one when we do the major version bump... but this is probably a bit of a bigger job and requires more expertise with the audit stack than i currently have

so what do we do in the meantime? at this very moment i suggest you add this configuration to your server:

{ config, pkgs, lib, ... }:
{
  environment.etc."audit/auditd.conf".text = ''
    num_logs = 5
  '';
}

and then restart the auditd service

so who has experience with auditd in the 4.x series of releases? :thinking:

martijnboers commented 3 months ago

I've tried setting up logrotate but set it to a week and don't know if it'll work yet.

I don't know how easy it is but adding a simple Wiki page on how to setup auditd with logrotate could be an idea?

aanderse commented 3 months ago

I've tried setting up logrotate but set it to a week and don't know if it'll work yet.

great, let's see what happens

did you use SIGHUP as described by the upstream documentation?

I don't know how easy it is but adding a simple Wiki page on how to setup auditd with logrotate could be an idea?

fantastic idea! are you willing to put your findings on http://wiki.nixos.org/?