Issue with running Linux Audit System in a nested Virtual Machine inside Google Cloud Engine
89 views
Skip to first unread message
punnal baloch
Jun 2, 2021, 3:06:17 AM6/2/21
to gce-discussion
I am trying to run the Linux audit system in a nested Virtual machine on the google cloud engine. The problem I am facing is that the Linux Audit System suspends after showing the following error after a few minutes when I view the auditd status.
----------------------------------------------------------------------------------------------------
16:53:42 fuzzer-VirtualBox auditd[294]: Audit daemon has no space left on logging partition
16:53:42 fuzzer-VirtualBox auditd[294]: Audit daemon is suspending logging due to no space left on logging partition
----------------------------------------------------------------------------------------------------
I checked using the df -h command and found out that there were around 6GB of free space on the logging partition so I did not understand why this error is occurring. Can you provide me a solution? Could this be because of nested virtualization?
Below is my auditd.conf:
----------------------------------------------------------------------------------------------------
#
# This file controls the configuration of the audit daemon
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 24
num_logs = 50
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = keep_logs
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
----------------------------------------------------------------------------------------------------
Below are my parameters in audit.rules file:
----------------------------------------------------------------------------------------------------
## First rule - delete all
-D
## Buffer size
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 0
## Set failure mode to syslog
-f 1
----------------------------------------------------------------------------------------------------
Ruben (Google Cloud Support)
Jun 4, 2021, 10:44:57 AM6/4/21
to gce-discussion
Hello,
Could you please clarify what image of Linux are you using? Or are you using custom images?
Have a nice day!
punnal baloch
Jun 6, 2021, 10:29:39 AM6/6/21
to gce-discussion
I am using a custom image(Ubuntu-16) because I needed nested virtualization support.
Derek Murphy
Jun 7, 2021, 4:16:45 PM6/7/21
to gce-discussion
I do believe that this issue that you have presented here would best be answered on the ServerFault community channel. As a point of interest I would like to mention that you could try one of Google’s standard images[1] to see if the issue persists. This could lead you to determine if the issue is your custom image.
I hope this helps.
[1] Tested Operating systems :
Reply all
Reply to author
Forward
0 new messages