From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit log still getting rotated even with max_log_file_action =
	ignore?
Date: Mon, 02 Nov 2015 18:32:34 -0500
Message-ID: <2015477.b7QVr7lf9X@x2>
References: <5637D841.3090501@jlbond.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5637D841.3090501@jlbond.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, November 02, 2015 01:40:17 PM Bond Masuda wrote:
> I'm seeing my /var/log/audit/audit.log getting rotated (I find a audit.1
> or audit.2, etc. file) even though I have max_log_file_action=ignore.
> Here's the full auditd.conf:
> 
> log_file = /var/log/audit/audit.log
> log_format = RAW
> log_group = root
> priority_boost = 4
> flush = INCREMENTAL
> freq = 20
> num_logs = 5
> disp_qos = lossy
> dispatcher = /sbin/audispd
> name_format = hostname
> max_log_file = 6
> max_log_file_action = ignore
> space_left = 75
> space_left_action = email
> action_mail_acct = root
> admin_space_left = 50
> admin_space_left_action = exec /usr/local/bin/remove_oldest_audit_log
> disk_full_action = exec /usr/local/bin/remove_oldest_audit_log
> disk_error_action = SUSPEND
> tcp_listen_queue = 5
> tcp_max_per_addr = 1
> tcp_client_max_idle = 0
> enable_krb5 = no
> krb5_principal = auditd
> 
> what am I missing?

I took a quick look at the code. I can't see how this is happening unless 
auditd is receiving a SIGUSR1 signal.

You might want to put some syslog calls in to auditd-event.c log when auditd 
gets told to rotate so that it can be correlated to other system activities.

-Steve
 

> I have a cron job in /etc/cron.daily/auditd that I use to rotate +
> compress the audit logs, but this is not what is causing the audit log
> rotation.
> 
> Is there another setting I must set in order for it to not automatically
> rotate the audit log? How do I achieve the desired effect, where the
> audit log is only rotated when my cron script runs?