perl-Razor-Agent logs to /razor-agent.log by default

[Kurt Seifried <kseifried () redhat com>]

So today I was logged into some mail servers and ls -la / and had a
minor panic:

-rw-r--r--.  1 root root  2275 Oct 12 04:15 razor-agent.log

Generally speaking I'm not expecting log files in / unless it's some
sort of malware. A brief investigation and no panic, it's the
perl-Razor-Agent, which on RHEL/Fedora is supposed to log to
/var/log/razor-agent.log but doesn't due to some HOME shenanigans:

https://bugzilla.redhat.com/show_bug.cgi?id=1058772

This log file grows slowly, basically one entry per day/reboot:

Oct 12 16:13:17.347744 check[835]: [ 2] [bootup] Logging initiated
LogDebugLevel=3 to file:razor-agent.log

but it won't ever get logrotated, and on a system with a very tight /,
e.g. a cloud system maybe using immutable images that only have a few
spare k on / (and /var/log/ on another partition or whatever) this could
be an issue.

I'm inclined to not call this a DoS as even over a year it'll only be a
few tens of kb, and it doesn't appear that the attacker can trigger
faster growth, but I can see situations where this could be a problem.


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature