Red Hat Knowledgebase

The files in /var/log/audit.d are log files generated by the Linux Audit Subsystem (LAuS). LAuS is active by default and logs certain system activities for security purposes. If security auditing is not required, LAuS can be switched off with using these commands:

service audit stop
chkconfig audit off

After stopping the service any save.* files in /var/log/audit.d can be deleted. We recommend leaving the bin.* files intact in case LAuS is needed in the future. LAuS functionality will be disabled by default in upcoming versions of Red Hat Enterprise Linux 3.

Because LAuS is used for security auditing, the log files it creates are never removed. If a system using LAuS is under heavy load it is possible for the log files to grow to the point where they fill the filesystem containing /var, which will crash the system. There are several ways to prevent this. The simplest way is to periodically monitor the size of the /var/log/audit.d and remove old save.* files. Another technique is to prevent the archiving of audit data to save.* files. This can be done by modifing the notify line in the output section of /etc/audit/audit.conf to use /bin/true instead of /usr/sbin/audbin:

/etc/audit/audit.conf

output { mode = bin; num-files = 4; file-size = 20M; file-name = "/var/log/audit.d/bin"; notify = "/bin/true";

A third way to prevent archive data from filling up the filesystem would be to write a logrotate script that removes save.* files based on age. However, writing a logrotate script for LAuS is out of scope for this article.