From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Dole, Patrick A." <Patrick.Dole@gd-ais.com>
Subject: Re: Audit rotate vs log rotate questions
Date: Wed, 29 Jun 2011 19:55:05 -0400 [thread overview]
Message-ID: <201106291955.05848.sgrubb@redhat.com> (raw)
In-Reply-To: <5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9@EADC01-MABPRD11.ad.gd-ais.com>
On Wednesday, June 29, 2011 07:10:44 PM Dole, Patrick A. wrote:
> I was hoping you could provide some help with audit rotation vs. logrotate
>
> I'm running REL 5 SElinux
> In my daily.con I have 2 cron jobs that I believe should manage the
> 'audit.log' file; audit.cron and logrotate
>
> My audit.cron includes:
> service auditd rotate
>
> Does this imply that the log always gets rotated, or is this based on other
> conditional checks?
This issues a signal to auditd and it immediately rotates without any checks. If it
had rotated 1 second before you issue the rotate command because of file size checks,
it would even rotate the empty audit log.
> There are no other parameters in the audit.cron, so I
> don't see where 'max_log_size_action' or 'max_log_file_action' are
> checked. Here is my auditd.conf
The audit daemon will rotate based on size in addition to the cron job unless you set
max_log_size_action to ignore. This will make 1 big log file. If you want it to rotate,
set the max_log_size appropriately and choose another setting.
> Also, I've read that cron doesn't like files with a period (.) in the name
> - is this an issue with REL 5?
Offhand I have never heard such an issue, but I would think there should be something
in the /var/log/messages file if it didn't like it.
> My basic questions is wouldn't the audit.cron, if it actually rotates the
> log, preclude the logrotate from properly capturing the right log files
> monthly?
Logrotate should not directly rotate the audit logs. I don't supply a logrotate
configuration, but if I did it would call service auditd rotate so that auditd performs
the action. The audit daemon has to fulfill certain service guarantees that logrotate
does not care about. For example, if the audit disk partition gets full, auditd can
take the system down. Logrotate never will. So, you have to let auditd do its own
thing or you will have some issues.
> Also, if I wanted to ensure no audit.log data ever gets deleted,
> could I simply increase the 'rotate 12' statement to something like
> 'rotate 60' to keep 5 years of data (provided the disk doesn't get full).
No, set the max_log_file_action to ignore. Note that this is a different issue than what
I described as making 1 big file.
> FYI, there is another utility that archives the log files and gives the
> user the option to delete files after they are archived.
There are probably people on this list that can tell you what they do. I would suspect
they have a custom cron job.
-Steve
prev parent reply other threads:[~2011-06-29 23:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-29 23:10 Audit rotate vs log rotate questions Dole, Patrick A.
2011-06-29 23:55 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201106291955.05848.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=Patrick.Dole@gd-ais.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox