Audit Log Partition keeps getting corrupted. How to prevent or boot anyway?

dberm22

1/27/24, 6:25 PM

I am running RHEL7, and my audit log partition randomly (not often, but often enough to annoy me) gets corrupted, preventing me from booting. How can I either prevent the partition from being corrupted, or ignore it and allow the system to continue to boot? "Sledgehammer" answers are acceptable.

Whenever the system becomes corrupted, I run a umount, followed by a xfs_repair -L, followed by a mount. This temporarily fixes the issue until the next time it gets corrupted.

Will disabling auditing via auditd -e 2 or systemctl disable auditd solve this issue?
Is there a way to continue to boot (ignore the partition) if audit log partition is corrupted?
Can I just delete the partition, if I also disable auditing?
Can I put the partition in read-only mode?
Can I automatically detect a corrupted partition and repair it on boot? This answer seems to indicate I can have xfs_repair run on boot, but I'm not fully following the answer.

1 + 0

xfs

redhat

corruption

auditd

rhel7

Score:0

Server

Delano zuurman

2/1/24, 9:40 AM

Here are some suggestions you can

Disable auditing via auditd -e 2 or systemctl disable auditd: This might solve the issue of audit log partition corruption, as auditing will be disabled and hence no data will be written to the partition. However, you need to weigh the pros and cons of disabling auditing on your system, as it may prevent the system from logging important information.
Ignoring the partition: There isn't a straightforward way to ignore the corrupted partition, but you can try creating a new partition and copying over the data from the corrupted partition to the new partition, and then set the new partition as the audit log partition.
Deleting the partition: This will prevent the system from logging audit data, but as you have already said, this is a "sledgehammer" solution.
Putting the partition in read-only mode: This will prevent the system from writing data to the partition, but will not prevent the partition from becoming corrupted.
Automatically detecting and repairing the partition: You can add a script to automatically run xfs_repair on boot, if the partition is detected to be corrupted. To do this, you can create a script that runs xfs_repair -L and add it to the system startup.

+ 3

dberm22

2/1/24, 3:30 PM

Thanks for the reply. How would I do 5, considering it prevents the system from booting? What is the earliest point in the boot sequence can I run this check/repair?

Delano zuurman

2/2/24, 4:48 PM

Have a look over here : https://www.golinuxcloud.com/run-script-at-startup-boot-without-cron-linux/

dberm22

2/6/24, 12:45 PM

Awarding bounty as it is about to expire. Not marking as accepted answer just yet.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Audit Log Partition keeps getting corrupted. How to prevent or boot anyway?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.