sr2/ansible-collection-core
4
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions

baseline: document recovery from full audit partition #3

New issue
Open
opened 2025-12-20 14:09:01 +00:00 by irl · 0 comments
irl commented 2025-12-20 14:09:01 +00:00
Owner
Copy link

To prevent actions being taken while the audit log filesystem is full, we simply shut down the instance. This is a last resort measure that hopefully we catch before it happens, however if it does you need to recover from it. Any attempt to power the machine back up will simply be met with it shutting itself down again. Console access must be used to enter a single user shell.

At the GRUB boot menu, select the current kernel version and edit the boot commands. Append to the end of the linux line:

single init=/bin/bash

Once you're booted up:

# Mount the audit partition
/usr/sbin/lvm vgchange -ay datavg
/usr/sbin/lvm vgscan --mknodes
mount -a
# Confirm the issue
df -h
# Remediate the issue
cd /var/log/audit
...
# Unmount audit and log partitions
cd /
umount /var/log/audit
umount /var/log
# Sync
echo s > /proc/sysrq-trigger
# Reboot
echo o > /proc/sysrq-trigger
To prevent actions being taken while the audit log filesystem is full, we simply shut down the instance. This is a last resort measure that hopefully we catch before it happens, however if it does you need to recover from it. Any attempt to power the machine back up will simply be met with it shutting itself down again. Console access must be used to enter a single user shell. At the GRUB boot menu, select the current kernel version and edit the boot commands. Append to the end of the `linux` line: ``` single init=/bin/bash ``` Once you're booted up: ``` # Mount the audit partition /usr/sbin/lvm vgchange -ay datavg /usr/sbin/lvm vgscan --mknodes mount -a # Confirm the issue df -h # Remediate the issue cd /var/log/audit ... # Unmount audit and log partitions cd / umount /var/log/audit umount /var/log # Sync echo s > /proc/sysrq-trigger # Reboot echo o > /proc/sysrq-trigger ```
irl changed title from Recovery from full audit partition to baseline: document recovery from full audit partition 2025-12-20 14:16:35 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: sr2/ansible-collection-core#3
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?