Size of audit trace files: something changed between

[Lev Serebryakov]

Hello Freebsd-security,

  I have /etc/security/audit_control configured to have 200M trace files and
 "audit -n" is scheduled to run twice a day, at 00:00 and 12:00. Old trace
 files looks Ok (it is November 2015):

-r--r-----  1 root        audit  209715488 Nov 16 19:05 20151116090000.20151116160510.46.4.40.135
-r--r-----  1 root        audit  209716086 Nov 16 20:58 20151116160510.20151116175847.46.4.40.135

 It could be seen, that these files ate rotated at 200M boundary.

 And latest files are rotated very (too!) often:

-r--r-----  1 root        audit     102083 Jan  9 21:50 20160109185013.20160109185043.46.4.40.135
-r--r-----  1 root        audit     471138 Jan  9 21:51 20160109185043.20160109185115.46.4.40.135
-r--r-----  1 root        audit     283454 Jan  9 21:51 20160109185115.20160109185145.46.4.40.135
-r--r-----  1 root        audit     189662 Jan  9 21:52 20160109185145.20160109185215.46.4.40.135

 Small files are rotated evry 30 seconds (!). It is very inconvenient, as
there are A LOT of these small files!

 System is FreeBSD 10.2-STABLE #1 r286784: Fri Aug 14 21:40:59 MSK 2015, so
looks like it is not regression in system, as November traces are Ok!

-- 
Best regards,
 Lev                          mailto:lev at FreeBSD.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 960 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20160110/c88bc778/attachment.sig>