Audit rotate vs log rotate questions

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* Audit rotate vs log rotate questions
@ 2011-06-29 23:10 Dole, Patrick A.
  2011-06-29 23:55 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Dole, Patrick A. @ 2011-06-29 23:10 UTC (permalink / raw)
  To: linux-audit@redhat.com

[-- Attachment #1.1: Type: text/plain, Size: 1355 bytes --]

Hi,
I was hoping you could provide some help with audit rotation vs. logrotate

I'm running REL 5 SElinux
In my daily.con I have 2 cron jobs that I believe should manage the 'audit.log' file; audit.cron and logrotate

My audit.cron includes:
        service auditd rotate

Does this imply that the log always gets rotated, or is this based on other conditional checks?
There are no other parameters in the audit.cron, so I don't see where 'max_log_size_action' or  'max_log_file_action' are checked.
Here is my auditd.conf

Also, I've read that cron doesn't like files with a period (.) in the name - is this an issue with REL 5?

...

My Logrotate.conf is attached

My logrotate.d contains this file:

My basic questions is wouldn't the audit.cron, if it actually rotates the log, preclude the logrotate from properly capturing the right log files monthly?
Also, if I wanted to ensure no audit.log data ever gets deleted, could I simply increase the 'rotate 12' statement to something like 'rotate 60' to keep 5 years of data (provided the disk doesn't get full).

FYI, there is another utility that archives  the log files and gives the user the option to delete files after they are archived.

A response within a couple days, if possible, would be great.
Thanks for your help.

Pat Dole
General Dynamics AIS

[-- Attachment #1.2: Type: text/html, Size: 2448 bytes --]

[-- Attachment #2: auditd.conf --]
[-- Type: application/octet-stream, Size: 924 bytes --]

#
# This file controls the configuration of the audit daemon
#

# Common Criteria CAPP/LSPP recommended configuration. You MAY
# adjust this according to local requirements.

log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 5

# Configure disk synchronization. Using "flush = DATA" or 
# "flush = SYNC" increases reliability slightly but has a
# high performance cost. INCREMENTAL is a reasonable compromise.
flush = DATA
freq = 20

num_logs = 4
DISP_qos = lossy
max_log_file = 256
max_log_file_action = IGNORE
space_left = 1000
space_left_action = email
action_mail_acct = root
admin_space_left = 100

# Configure how the system will treat disk space exhaustion.
# The action "HALT" discards audit records if space is exhausted.
# The fail-safe setting is to switch to single-user mode.

admin_space_left_action = email
disk_full_action = HALT
disk_error_action = HALT

[-- Attachment #3: logrotate.conf --]
[-- Type: application/octet-stream, Size: 529 bytes --]

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}

# system-specific logs may be also be configured here.

[-- Attachment #4: audit --]
[-- Type: application/octet-stream, Size: 536 bytes --]

/var/log/audit/audit.log {
    monthly
    rotate 12
    compress
    copy
    olddir /var/log/audit/logrotate
    delaycompress
    compresscmd /bin/gzip
    sharedscripts
    prerotate
	/bin/kill -USR1 `cat /var/run/auditd.pid`
	/bin/sleep 5
    endscript
    postrotate
	/bin/mv /var/log/audit/audit.log.1 /var/log/audit/logrotate
	/bin/gzip -9 /var/log/audit/logrotate/audit.log.1
	/bin/cp /var/log/audit/logrotate/audit.log.1.gz \
		/var/log/log-archiver/audit.log.`hostname`.`date +%F-%H%M`.gz
    endscript
}

[-- Attachment #5: Type: text/plain, Size: 0 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Audit rotate vs log rotate questions
  2011-06-29 23:10 Audit rotate vs log rotate questions Dole, Patrick A.
@ 2011-06-29 23:55 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2011-06-29 23:55 UTC (permalink / raw)
  To: linux-audit; +Cc: Dole, Patrick A.

On Wednesday, June 29, 2011 07:10:44 PM Dole, Patrick A. wrote:
> I was hoping you could provide some help with audit rotation vs. logrotate
> 
> I'm running REL 5 SElinux
> In my daily.con I have 2 cron jobs that I believe should manage the
> 'audit.log' file; audit.cron and logrotate
> 
> My audit.cron includes:
>         service auditd rotate
> 
> Does this imply that the log always gets rotated, or is this based on other
> conditional checks? 

This issues a signal to auditd and it immediately rotates without any checks. If it 
had rotated 1 second before you issue the rotate command because of file size checks, 
it would even rotate the empty audit log.

> There are no other parameters in the audit.cron, so I
> don't see where 'max_log_size_action' or  'max_log_file_action' are
> checked. Here is my auditd.conf

The audit daemon will rotate based on size in addition to the cron job unless you set 
max_log_size_action to ignore. This will make 1 big log file. If you want it to rotate, 
set the max_log_size appropriately and choose another setting.

> Also, I've read that cron doesn't like files with a period (.) in the name
> - is this an issue with REL 5?

Offhand I have never heard such an issue, but I would think there should be something 
in the /var/log/messages file if it didn't like it.

> My basic questions is wouldn't the audit.cron, if it actually rotates the
> log, preclude the logrotate from properly capturing the right log files
> monthly? 

Logrotate should not directly rotate the audit logs. I don't supply a logrotate 
configuration, but if I did it would call service auditd rotate so that auditd performs 
the action. The audit daemon has to fulfill certain service guarantees that logrotate 
does not care about. For example, if the audit disk partition gets full, auditd can 
take the system down. Logrotate never will. So, you have to let auditd do its own 
thing or you will have some issues.

> Also, if I wanted to ensure no audit.log data ever gets deleted,
> could I simply increase the 'rotate 12' statement to something like
> 'rotate 60' to keep 5 years of data (provided the disk doesn't get full).

No, set the max_log_file_action to ignore. Note that this is a different issue than what 
I described as making 1 big file.

> FYI, there is another utility that archives  the log files and gives the
> user the option to delete files after they are archived.

There are probably people on this list that can tell you what they do. I would suspect 
they have a custom cron job.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-06-29 23:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-29 23:10 Audit rotate vs log rotate questions Dole, Patrick A.
2011-06-29 23:55 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox