* Logrotate and Audit Log Rotation
@ 2012-11-14 12:52 Paul Whitney
2012-11-14 13:54 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Paul Whitney @ 2012-11-14 12:52 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 847 bytes --]
On RHEL 6 I am able to use the logrotate facility and compress logs using bzip2. However, when I try to use a similar method on RHEL 5, the auditd service fails to restart after the logrotate service rotates and compresses the rotated log file.
I found a post by Steve Grubb posted on 29 JUN 2011:
"Logrotate should not directly rotate the audit logs. I don't supply a logrotate
configuration, but if I did it would call service auditd rotate so that auditd performs
the action. The audit daemon has to fulfill certain service guarantees that logrotate
does not care about. For example, if the audit disk partition gets full, auditd can
take the system down. Logrotate never will. So, you have to let auditd do its own
thing or you will have some issues."
Is this still the case?
Paul M. Whitney
paul.whitney@icloud.com
[-- Attachment #1.2.1: Type: text/html, Size: 1241 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Logrotate and Audit Log Rotation
2012-11-14 12:52 Logrotate and Audit Log Rotation Paul Whitney
@ 2012-11-14 13:54 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2012-11-14 13:54 UTC (permalink / raw)
To: linux-audit
On Wednesday, November 14, 2012 12:52:31 PM Paul Whitney wrote:
> On RHEL 6 I am able to use the logrotate facility and compress logs using
> bzip2. However, when I try to use a similar method on RHEL 5, the auditd
> service fails to restart after the logrotate service rotates and compresses
> the rotated log file.
>
> I found a post by Steve Grubb posted on 29 JUN 2011:
>
> "Logrotate should not directly rotate the audit logs. I don't supply a
> logrotate configuration, but if I did it would call service auditd rotate
> so that auditd performs the action. The audit daemon has to fulfill certain
> service guarantees that logrotate does not care about. For example, if the
> audit disk partition gets full, auditd can take the system down. Logrotate
> never will. So, you have to let auditd do its own thing or you will have
> some issues."
>
> Is this still the case?
Yes, it will always be the case. Logrotate does not understand the security
requirements imposed by common criteria. You can either rotate on a cron job
(an example script is shipped) or write a logrotate script that sends SIGUSR1
to auditd.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-11-14 13:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-14 12:52 Logrotate and Audit Log Rotation Paul Whitney
2012-11-14 13:54 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox