From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Dole, Patrick A." Subject: Audit rotate vs log rotate questions Date: Wed, 29 Jun 2011 18:10:44 -0500 Message-ID: <5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9@EADC01-MABPRD11.ad.gd-ais.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="_006_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_" Return-path: Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.16]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p5TNAphD018680 for ; Wed, 29 Jun 2011 19:10:51 -0400 Received: from mnbm01-relay1.mnb.gd-ais.com (mnbm01-relay1.mnb.gd-ais.com [137.100.120.43]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p5TNAnX7015263 for ; Wed, 29 Jun 2011 19:10:50 -0400 Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --_006_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_ Content-Type: multipart/alternative; boundary="_000_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_" --_000_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I was hoping you could provide some help with audit rotation vs. logrotate I'm running REL 5 SElinux In my daily.con I have 2 cron jobs that I believe should manage the 'audit.= log' file; audit.cron and logrotate My audit.cron includes: service auditd rotate Does this imply that the log always gets rotated, or is this based on other= conditional checks? There are no other parameters in the audit.cron, so I don't see where 'max_= log_size_action' or 'max_log_file_action' are checked. Here is my auditd.conf Also, I've read that cron doesn't like files with a period (.) in the name = - is this an issue with REL 5? ... My Logrotate.conf is attached My logrotate.d contains this file: My basic questions is wouldn't the audit.cron, if it actually rotates the l= og, preclude the logrotate from properly capturing the right log files mont= hly? Also, if I wanted to ensure no audit.log data ever gets deleted, could I si= mply increase the 'rotate 12' statement to something like 'rotate 60' to ke= ep 5 years of data (provided the disk doesn't get full). FYI, there is another utility that archives the log files and gives the us= er the option to delete files after they are archived. A response within a couple days, if possible, would be great. Thanks for your help. Pat Dole General Dynamics AIS --_000_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Hi,
I was hoping you could provide some help with audit rotation vs. logro= tate
 
I’m running REL 5 SElinux
In my daily.con I have 2 cron jobs that I believe should manage the &#= 8216;audit.log’ file; audit.cron and logrotate
 
My audit.cron includes:
        service auditd rotate
 
Does this imply that the log always gets rotated, or is this based on = other conditional checks?
There are no other parameters in the audit.cron, so I don’t see = where ‘max_log_size_action’ or  ‘max_log_file_action= ’ are checked.
Here is my auditd.conf
 
Also, I’ve read that cron doesn’t like files with a period= (.) in the name – is this an issue with REL 5?
 
 
My Logrotate.conf is attached
 
My logrotate.d contains this file:
 
 
My basic questions is wouldn’t the audit.cron, if it actually ro= tates the log, preclude the logrotate from properly capturing the right log= files monthly?
Also, if I wanted to ensure no audit.log data ever gets deleted, could= I simply increase the ‘rotate 12’ statement to something like = ‘rotate 60’ to keep 5 years of data (provided the disk doesn= 217;t get full).
 
FYI, there is another utility that archives  the log files and gi= ves the user the option to delete files after they are archived.
 
A response within a couple days, if possible, would be great.
Thanks for your help. 
 
Pat Dole
General Dynamics AIS
 
 
 --_000_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_-- --_006_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_ Content-Type: application/octet-stream; name="auditd.conf" Content-Description: auditd.conf Content-Disposition: attachment; filename="auditd.conf"; size=924; creation-date="Thu, 12 May 2011 14:30:30 GMT"; modification-date="Thu, 12 May 2011 14:30:30 GMT" Content-Transfer-Encoding: base64 Iw0KIyBUaGlzIGZpbGUgY29udHJvbHMgdGhlIGNvbmZpZ3VyYXRpb24gb2YgdGhlIGF1ZGl0IGRh ZW1vbg0KIw0KDQojIENvbW1vbiBDcml0ZXJpYSBDQVBQL0xTUFAgcmVjb21tZW5kZWQgY29uZmln dXJhdGlvbi4gWW91IE1BWQ0KIyBhZGp1c3QgdGhpcyBhY2NvcmRpbmcgdG8gbG9jYWwgcmVxdWly ZW1lbnRzLg0KDQpsb2dfZmlsZSA9IC92YXIvbG9nL2F1ZGl0L2F1ZGl0LmxvZw0KbG9nX2Zvcm1h dCA9IFJBVw0KcHJpb3JpdHlfYm9vc3QgPSA1DQoNCiMgQ29uZmlndXJlIGRpc2sgc3luY2hyb25p emF0aW9uLiBVc2luZyAiZmx1c2ggPSBEQVRBIiBvciANCiMgImZsdXNoID0gU1lOQyIgaW5jcmVh c2VzIHJlbGlhYmlsaXR5IHNsaWdodGx5IGJ1dCBoYXMgYQ0KIyBoaWdoIHBlcmZvcm1hbmNlIGNv c3QuIElOQ1JFTUVOVEFMIGlzIGEgcmVhc29uYWJsZSBjb21wcm9taXNlLg0KZmx1c2ggPSBEQVRB DQpmcmVxID0gMjANCg0KbnVtX2xvZ3MgPSA0DQpESVNQX3FvcyA9IGxvc3N5DQptYXhfbG9nX2Zp bGUgPSAyNTYNCm1heF9sb2dfZmlsZV9hY3Rpb24gPSBJR05PUkUNCnNwYWNlX2xlZnQgPSAxMDAw DQpzcGFjZV9sZWZ0X2FjdGlvbiA9IGVtYWlsDQphY3Rpb25fbWFpbF9hY2N0ID0gcm9vdA0KYWRt aW5fc3BhY2VfbGVmdCA9IDEwMA0KDQojIENvbmZpZ3VyZSBob3cgdGhlIHN5c3RlbSB3aWxsIHRy ZWF0IGRpc2sgc3BhY2UgZXhoYXVzdGlvbi4NCiMgVGhlIGFjdGlvbiAiSEFMVCIgZGlzY2FyZHMg YXVkaXQgcmVjb3JkcyBpZiBzcGFjZSBpcyBleGhhdXN0ZWQuDQojIFRoZSBmYWlsLXNhZmUgc2V0 dGluZyBpcyB0byBzd2l0Y2ggdG8gc2luZ2xlLXVzZXIgbW9kZS4NCg0KYWRtaW5fc3BhY2VfbGVm dF9hY3Rpb24gPSBlbWFpbA0KZGlza19mdWxsX2FjdGlvbiA9IEhBTFQNCmRpc2tfZXJyb3JfYWN0 aW9uID0gSEFMVA0K --_006_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_ Content-Type: application/octet-stream; name="logrotate.conf" Content-Description: logrotate.conf Content-Disposition: attachment; filename="logrotate.conf"; size=529; creation-date="Sun, 01 Oct 2006 20:27:14 GMT"; modification-date="Sun, 01 Oct 2006 20:27:14 GMT" Content-Transfer-Encoding: base64 IyBzZWUgIm1hbiBsb2dyb3RhdGUiIGZvciBkZXRhaWxzDQojIHJvdGF0ZSBsb2cgZmlsZXMgd2Vl a2x5DQp3ZWVrbHkNCg0KIyBrZWVwIDQgd2Vla3Mgd29ydGggb2YgYmFja2xvZ3MNCnJvdGF0ZSA0 DQoNCiMgY3JlYXRlIG5ldyAoZW1wdHkpIGxvZyBmaWxlcyBhZnRlciByb3RhdGluZyBvbGQgb25l cw0KY3JlYXRlDQoNCiMgdW5jb21tZW50IHRoaXMgaWYgeW91IHdhbnQgeW91ciBsb2cgZmlsZXMg Y29tcHJlc3NlZA0KI2NvbXByZXNzDQoNCiMgUlBNIHBhY2thZ2VzIGRyb3AgbG9nIHJvdGF0aW9u IGluZm9ybWF0aW9uIGludG8gdGhpcyBkaXJlY3RvcnkNCmluY2x1ZGUgL2V0Yy9sb2dyb3RhdGUu ZA0KDQojIG5vIHBhY2thZ2VzIG93biB3dG1wIC0tIHdlJ2xsIHJvdGF0ZSB0aGVtIGhlcmUNCi92 YXIvbG9nL3d0bXAgew0KICAgIG1vbnRobHkNCiAgICBjcmVhdGUgMDY2NCByb290IHV0bXANCiAg ICByb3RhdGUgMQ0KfQ0KDQojIHN5c3RlbS1zcGVjaWZpYyBsb2dzIG1heSBiZSBhbHNvIGJlIGNv bmZpZ3VyZWQgaGVyZS4NCg== --_006_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_ Content-Type: application/octet-stream; name="audit" Content-Description: audit Content-Disposition: attachment; filename="audit"; size=536; creation-date="Tue, 12 Oct 2010 16:59:16 GMT"; modification-date="Tue, 12 Oct 2010 16:59:16 GMT" Content-Transfer-Encoding: base64 L3Zhci9sb2cvYXVkaXQvYXVkaXQubG9nIHsNCiAgICBtb250aGx5DQogICAgcm90YXRlIDEyDQog ICAgY29tcHJlc3MNCiAgICBjb3B5DQogICAgb2xkZGlyIC92YXIvbG9nL2F1ZGl0L2xvZ3JvdGF0 ZQ0KICAgIGRlbGF5Y29tcHJlc3MNCiAgICBjb21wcmVzc2NtZCAvYmluL2d6aXANCiAgICBzaGFy ZWRzY3JpcHRzDQogICAgcHJlcm90YXRlDQoJL2Jpbi9raWxsIC1VU1IxIGBjYXQgL3Zhci9ydW4v YXVkaXRkLnBpZGANCgkvYmluL3NsZWVwIDUNCiAgICBlbmRzY3JpcHQNCiAgICBwb3N0cm90YXRl DQoJL2Jpbi9tdiAvdmFyL2xvZy9hdWRpdC9hdWRpdC5sb2cuMSAvdmFyL2xvZy9hdWRpdC9sb2dy b3RhdGUNCgkvYmluL2d6aXAgLTkgL3Zhci9sb2cvYXVkaXQvbG9ncm90YXRlL2F1ZGl0LmxvZy4x DQoJL2Jpbi9jcCAvdmFyL2xvZy9hdWRpdC9sb2dyb3RhdGUvYXVkaXQubG9nLjEuZ3ogXA0KCQkv dmFyL2xvZy9sb2ctYXJjaGl2ZXIvYXVkaXQubG9nLmBob3N0bmFtZWAuYGRhdGUgKyVGLSVIJU1g Lmd6DQogICAgZW5kc2NyaXB0DQp9DQo= --_006_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_ Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --_006_5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9EADC01MABPRD1_-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Audit rotate vs log rotate questions Date: Wed, 29 Jun 2011 19:55:05 -0400 Message-ID: <201106291955.05848.sgrubb@redhat.com> References: <5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9@EADC01-MABPRD11.ad.gd-ais.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9@EADC01-MABPRD11.ad.gd-ais.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Dole, Patrick A." List-Id: linux-audit@redhat.com On Wednesday, June 29, 2011 07:10:44 PM Dole, Patrick A. wrote: > I was hoping you could provide some help with audit rotation vs. logrotate > > I'm running REL 5 SElinux > In my daily.con I have 2 cron jobs that I believe should manage the > 'audit.log' file; audit.cron and logrotate > > My audit.cron includes: > service auditd rotate > > Does this imply that the log always gets rotated, or is this based on other > conditional checks? This issues a signal to auditd and it immediately rotates without any checks. If it had rotated 1 second before you issue the rotate command because of file size checks, it would even rotate the empty audit log. > There are no other parameters in the audit.cron, so I > don't see where 'max_log_size_action' or 'max_log_file_action' are > checked. Here is my auditd.conf The audit daemon will rotate based on size in addition to the cron job unless you set max_log_size_action to ignore. This will make 1 big log file. If you want it to rotate, set the max_log_size appropriately and choose another setting. > Also, I've read that cron doesn't like files with a period (.) in the name > - is this an issue with REL 5? Offhand I have never heard such an issue, but I would think there should be something in the /var/log/messages file if it didn't like it. > My basic questions is wouldn't the audit.cron, if it actually rotates the > log, preclude the logrotate from properly capturing the right log files > monthly? Logrotate should not directly rotate the audit logs. I don't supply a logrotate configuration, but if I did it would call service auditd rotate so that auditd performs the action. The audit daemon has to fulfill certain service guarantees that logrotate does not care about. For example, if the audit disk partition gets full, auditd can take the system down. Logrotate never will. So, you have to let auditd do its own thing or you will have some issues. > Also, if I wanted to ensure no audit.log data ever gets deleted, > could I simply increase the 'rotate 12' statement to something like > 'rotate 60' to keep 5 years of data (provided the disk doesn't get full). No, set the max_log_file_action to ignore. Note that this is a different issue than what I described as making 1 big file. > FYI, there is another utility that archives the log files and gives the > user the option to delete files after they are archived. There are probably people on this list that can tell you what they do. I would suspect they have a custom cron job. -Steve