From: Ed Christiansen MS <edwardc@ll.mit.edu>
To: linux-audit@redhat.com
Subject: Re: auditd.cron
Date: Thu, 23 Mar 2017 09:28:34 -0400 [thread overview]
Message-ID: <11d3dcab-58f4-a7a9-24b7-068e99e50d85@ll.mit.edu> (raw)
In-Reply-To: <4399543.tYVMYjfBej@x2>
[-- Attachment #1.1: Type: text/plain, Size: 2235 bytes --]
So, if I read this right, to implement an auditd log rotation that is
based on time one would:
1. set num_logs to 0 in auditd.conf
2. send SIGUSR1 to auditd based on your log rotation schedule.
Are there any other nuances I need to take into consideration?
On 3/22/2017 5:48 PM, Steve Grubb wrote:
> On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
>> So, I needed a feature over 8 months ago, nobody could provide one for the
>> following:
>> Rolling log files either when they hit a certain size or the day
>> changed over at midnight.
>>
>> I know that I could have rolled the files at a specific size, by using the
>> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
>> there was no "builtin" for managing auto rotation at the start of a new day
>> (0000 hrs).
>>
>> It looks like there is a file called */usr/share/doc/auditd-<**version>*
>> */auditd.cron*
>>
>> *.*
>> To me*, *this file is new; considering I needed it 8 months ago.
>
> Its over 9 years old.
>
>> *Anyway, how is this file implemented?
>
> https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.cron
>
> Its a shell script that end up sending SIGUSR1 to auditd. That causes auditd
> to rotate the files. But you would also configure auditd to not rotate files by
> setting num_logs to 0 in auditd.conf.
>
>> * Simply move it to a directory with permissions to execute; ensure it is
>> executable and then simply set up a cronjob to execute it at whatever time
>> of day that I wish?
>
> Yes. You can also extend the script by sleeping a couple seconds for the
> rotation and then rename the file and/or compress it and/or move it to another
> directory or partition. Whatever you want to do.
>
>> *Finally, if I have '-e 2' as the last control in the audit.rules file;
>> will the auditd.cron which executes as service auditd rotate still function
>> properly?*
>
> The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon just
> rotates the files. So, it has no bearing on the matter.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4680 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2017-03-23 13:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-22 21:19 auditd.cron warron.french
2017-03-22 21:48 ` auditd.cron Steve Grubb
2017-03-23 13:28 ` Ed Christiansen MS [this message]
2017-03-23 13:53 ` auditd.cron Simon Sekidde
2017-03-23 16:11 ` auditd.cron Steve Grubb
2017-03-23 14:45 ` auditd.cron Ryan Sawhill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11d3dcab-58f4-a7a9-24b7-068e99e50d85@ll.mit.edu \
--to=edwardc@ll.mit.edu \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.