From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Recovery when disk_full_action=HALT Date: Thu, 16 Apr 2015 10:49:15 -0400 Message-ID: <3725524.slq1ogivl5@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, April 16, 2015 08:29:23 AM Andrew Ruch wrote: > Hello, > > We have a RHEL6 system with the disk_full_action set to HALT. I'm > working on procedures for what to do if this case occurs. When the log > partition fills up, the system shuts down. However, the system will > not boot after this because as soon as auditd tries to start, the > system immediately shuts down again. What are the options for > recovering after this happens? I've come up with two: Normally, I would think that system maintenance for a situation like this is to boot the computer into Single User Mode. You should have switched the system over to using sulogin as the shell for single user mode. This way its password protected. Then once in, do what you need to archive and make room again. > 1) Stop the boot process at grub and disable audit by adding a kernel > parameter 'audit=0'. If you don't use single user mode, then there is the risk of someone doing something while the audit system can't record anything. You probably don't want that possibility either. > 2) If grub timeout is 0, use a live CD to access the audit partition. This would work also, but Single User Mode is so much easier. :-) > I'm sure there are some variations on option 1 using an interactive > boot. Are there any other options I missed, especially if grub timeout > has been set to 0? I wouldn't set it to 0. You can make it short like 2 or 3. But you need to be able to get into the editor to tell it 'S' for single user mode. -Steve