From owner-freebsd-security@freebsd.org Sat Jan 9 21:04:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2EA7A6A22D for ; Sat, 9 Jan 2016 21:04:35 +0000 (UTC) (envelope-from terje@elde.net) Received: from rand.keepquiet.net (keepquiet.net [144.76.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "keepquiet.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9DC531503; Sat, 9 Jan 2016 21:04:35 +0000 (UTC) (envelope-from terje@elde.net) Received: from [10.130.11.109] (cm-84.210.87.28.getinternet.no [84.210.87.28]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: terje@elde.net) by rand.keepquiet.net (Postfix) with ESMTPSA id E4524DB0; Sat, 9 Jan 2016 20:55:43 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Does audit_control's "expire-after" by size works? From: Terje Elde X-Mailer: iPhone Mail (13C75) In-Reply-To: <569159E6.1040206@FreeBSD.org> Date: Sat, 9 Jan 2016 21:55:42 +0100 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <89CCB3E8-4E81-4673-B04B-E3B8A25CBE76@elde.net> References: <569159E6.1040206@FreeBSD.org> To: lev@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2016 21:04:35 -0000 > On 09 Jan 2016, at 20:05, Lev Serebryakov wrote: >=20 > I have this: >=20 > expire-after:356d AND 5G >=20 > and now my /var/audit contains 1 year of files, but it takes 105 > gigabytes (!). >=20 > It is FreeBSD 10.2-STABLE r286784 I don't recall how that limit is implemented, but it could be related to thi= s: https://www.freebsd.org/security/advisories/FreeBSD-EN-15:19.kqueue.asc Terje