From mboxrd@z Thu Jan 1 00:00:00 1970 From: Simon Sekidde Subject: Re: auditd.cron Date: Thu, 23 Mar 2017 09:53:45 -0400 (EDT) Message-ID: <259291253.4560318.1490277225528.JavaMail.zimbra@redhat.com> References: <4399543.tYVMYjfBej@x2> <11d3dcab-58f4-a7a9-24b7-068e99e50d85@ll.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <11d3dcab-58f4-a7a9-24b7-068e99e50d85@ll.mit.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Ed Christiansen MS Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com ----- Original Message ----- > From: "Ed Christiansen MS" > To: linux-audit@redhat.com > Sent: Thursday, March 23, 2017 9:28:34 AM > Subject: Re: auditd.cron > > So, if I read this right, to implement an auditd log rotation that is > based on time one would: > > 1. set num_logs to 0 in auditd.conf > This implies no rotation > 2. send SIGUSR1 to auditd based on your log rotation schedule. > > Are there any other nuances I need to take into consideration? > `service auditd rotate` will force a rotation > On 3/22/2017 5:48 PM, Steve Grubb wrote: > > On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote: > >> So, I needed a feature over 8 months ago, nobody could provide one for the > >> following: > >> Rolling log files either when they hit a certain size or the day > >> changed over at midnight. > >> > >> I know that I could have rolled the files at a specific size, by using the > >> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*, > >> but > >> there was no "builtin" for managing auto rotation at the start of a new > >> day > >> (0000 hrs). > >> > >> It looks like there is a file called */usr/share/doc/auditd-<**version>* > >> */auditd.cron* > >> > >> *.* > >> To me*, *this file is new; considering I needed it 8 months ago. > > > > Its over 9 years old. > > > >> *Anyway, how is this file implemented? > > > > https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.cron > > > > Its a shell script that end up sending SIGUSR1 to auditd. That causes > > auditd > > to rotate the files. But you would also configure auditd to not rotate > > files by > > setting num_logs to 0 in auditd.conf. > > > >> * Simply move it to a directory with permissions to execute; ensure it is > >> executable and then simply set up a cronjob to execute it at whatever time > >> of day that I wish? > > > > Yes. You can also extend the script by sleeping a couple seconds for the > > rotation and then rename the file and/or compress it and/or move it to > > another > > directory or partition. Whatever you want to do. > > > >> *Finally, if I have '-e 2' as the last control in the audit.rules file; > >> will the auditd.cron which executes as service auditd rotate still > >> function > >> properly?* > > > > The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon > > just > > rotates the files. So, it has no bearing on the matter. > > > > -Steve > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA Solution Architect, NA Public Sector