From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Logrotate and Audit Log Rotation Date: Wed, 14 Nov 2012 08:54:13 -0500 Message-ID: <8565226.qWSpgW3kEQ@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday, November 14, 2012 12:52:31 PM Paul Whitney wrote: > On RHEL 6 I am able to use the logrotate facility and compress logs using > bzip2. However, when I try to use a similar method on RHEL 5, the auditd > service fails to restart after the logrotate service rotates and compresses > the rotated log file. > > I found a post by Steve Grubb posted on 29 JUN 2011: > > "Logrotate should not directly rotate the audit logs. I don't supply a > logrotate configuration, but if I did it would call service auditd rotate > so that auditd performs the action. The audit daemon has to fulfill certain > service guarantees that logrotate does not care about. For example, if the > audit disk partition gets full, auditd can take the system down. Logrotate > never will. So, you have to let auditd do its own thing or you will have > some issues." > > Is this still the case? Yes, it will always be the case. Logrotate does not understand the security requirements imposed by common criteria. You can either rotate on a cron job (an example script is shipped) or write a logrotate script that sends SIGUSR1 to auditd. -Steve