Hello Freebsd-security, I have /etc/security/audit_control configured to have 200M trace files and "audit -n" is scheduled to run twice a day, at 00:00 and 12:00. Old trace files looks Ok (it is November 2015):
-r--r----- 1 root audit 209715488 Nov 16 19:05 20151116090000.20151116160510.46.4.40.135 -r--r----- 1 root audit 209716086 Nov 16 20:58 20151116160510.20151116175847.46.4.40.135 It could be seen, that these files ate rotated at 200M boundary. And latest files are rotated very (too!) often: -r--r----- 1 root audit 102083 Jan 9 21:50 20160109185013.20160109185043.46.4.40.135 -r--r----- 1 root audit 471138 Jan 9 21:51 20160109185043.20160109185115.46.4.40.135 -r--r----- 1 root audit 283454 Jan 9 21:51 20160109185115.20160109185145.46.4.40.135 -r--r----- 1 root audit 189662 Jan 9 21:52 20160109185145.20160109185215.46.4.40.135 Small files are rotated evry 30 seconds (!). It is very inconvenient, as there are A LOT of these small files! System is FreeBSD 10.2-STABLE #1 r286784: Fri Aug 14 21:40:59 MSK 2015, so looks like it is not regression in system, as November traces are Ok! -- Best regards, Lev mailto:[email protected]
pgpS7njdbiku6.pgp
Description: PGP signature
