auditd.cron

auditd.cron

[warron.french]

[-- Attachment #1.1: Type: text/plain, Size: 1013 bytes --]

So, I needed a feature over 8 months ago, nobody could provide one for the
following:
       Rolling log files either when they hit a certain size or the day
changed over at midnight.

I know that I could have rolled the files at a specific size, by using the
*max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
there was no "builtin" for managing auto rotation at the start of a new day
(0000 hrs).

It looks like there is a file called */usr/share/doc/auditd-<**version>*
*/auditd.cron*

*.*
To me*, *this file is new; considering I needed it 8 months ago.

*Anyway, how is this file implemented? * Simply move it to a directory with
permissions to execute; ensure it is executable and then simply set up a
cronjob to execute it at whatever time of day that I wish?

*Finally, if I have '-e 2' as the last control in the audit.rules file;
will the auditd.cron which executes as service auditd rotate still function
properly?*

Thanks in advance,
--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 2020 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd.cron

[Steve Grubb]

On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> So, I needed a feature over 8 months ago, nobody could provide one for the
> following:
>        Rolling log files either when they hit a certain size or the day
> changed over at midnight.
> 
> I know that I could have rolled the files at a specific size, by using the
> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
> there was no "builtin" for managing auto rotation at the start of a new day
> (0000 hrs).
> 
> It looks like there is a file called */usr/share/doc/auditd-<**version>*
> */auditd.cron*
> 
> *.*
> To me*, *this file is new; considering I needed it 8 months ago.

Its over 9 years old.

> *Anyway, how is this file implemented? 

https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.cron

Its a shell script that end up sending SIGUSR1 to auditd. That causes auditd 
to rotate the files. But you would also configure auditd to not rotate files by 
setting num_logs to 0 in auditd.conf.

> * Simply move it to a directory with permissions to execute; ensure it is
> executable and then simply set up a cronjob to execute it at whatever time
> of day that I wish?

Yes. You can also extend the script by sleeping a couple seconds for the 
rotation and then rename the file and/or compress it and/or move it to another 
directory or partition. Whatever you want to do.

> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> will the auditd.cron which executes as service auditd rotate still function
> properly?*

The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon just 
rotates the files. So, it has no bearing on the matter.

-Steve

Re: auditd.cron

[Ed Christiansen MS]

[-- Attachment #1.1: Type: text/plain, Size: 2235 bytes --]

So, if I read this right, to implement an auditd log rotation that is 
based on time one would:

1. set num_logs to 0 in auditd.conf

2. send SIGUSR1 to auditd based on your log rotation schedule.

Are there any other nuances I need to take into consideration?

On 3/22/2017 5:48 PM, Steve Grubb wrote:
> On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
>> So, I needed a feature over 8 months ago, nobody could provide one for the
>> following:
>>        Rolling log files either when they hit a certain size or the day
>> changed over at midnight.
>>
>> I know that I could have rolled the files at a specific size, by using the
>> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
>> there was no "builtin" for managing auto rotation at the start of a new day
>> (0000 hrs).
>>
>> It looks like there is a file called */usr/share/doc/auditd-<**version>*
>> */auditd.cron*
>>
>> *.*
>> To me*, *this file is new; considering I needed it 8 months ago.
>
> Its over 9 years old.
>
>> *Anyway, how is this file implemented?
>
> https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.cron
>
> Its a shell script that end up sending SIGUSR1 to auditd. That causes auditd
> to rotate the files. But you would also configure auditd to not rotate files by
> setting num_logs to 0 in auditd.conf.
>
>> * Simply move it to a directory with permissions to execute; ensure it is
>> executable and then simply set up a cronjob to execute it at whatever time
>> of day that I wish?
>
> Yes. You can also extend the script by sleeping a couple seconds for the
> rotation and then rename the file and/or compress it and/or move it to another
> directory or partition. Whatever you want to do.
>
>> *Finally, if I have '-e 2' as the last control in the audit.rules file;
>> will the auditd.cron which executes as service auditd rotate still function
>> properly?*
>
> The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon just
> rotates the files. So, it has no bearing on the matter.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>


[-- Attachment #1.2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4680 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auditd.cron

[Simon Sekidde]

----- Original Message -----
> From: "Ed Christiansen MS" <edwardc@ll.mit.edu>
> To: linux-audit@redhat.com
> Sent: Thursday, March 23, 2017 9:28:34 AM
> Subject: Re: auditd.cron
> 
> So, if I read this right, to implement an auditd log rotation that is
> based on time one would:
> 
> 1. set num_logs to 0 in auditd.conf
> 
This implies no rotation

> 2. send SIGUSR1 to auditd based on your log rotation schedule.
> 
> Are there any other nuances I need to take into consideration?
> 

`service auditd rotate` will force a rotation

> On 3/22/2017 5:48 PM, Steve Grubb wrote:
> > On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> >> So, I needed a feature over 8 months ago, nobody could provide one for the
> >> following:
> >>        Rolling log files either when they hit a certain size or the day
> >> changed over at midnight.
> >>
> >> I know that I could have rolled the files at a specific size, by using the
> >> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
> >> but
> >> there was no "builtin" for managing auto rotation at the start of a new
> >> day
> >> (0000 hrs).
> >>
> >> It looks like there is a file called */usr/share/doc/auditd-<**version>*
> >> */auditd.cron*
> >>
> >> *.*
> >> To me*, *this file is new; considering I needed it 8 months ago.
> >
> > Its over 9 years old.
> >
> >> *Anyway, how is this file implemented?
> >
> > https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.cron
> >
> > Its a shell script that end up sending SIGUSR1 to auditd. That causes
> > auditd
> > to rotate the files. But you would also configure auditd to not rotate
> > files by
> > setting num_logs to 0 in auditd.conf.
> >
> >> * Simply move it to a directory with permissions to execute; ensure it is
> >> executable and then simply set up a cronjob to execute it at whatever time
> >> of day that I wish?
> >
> > Yes. You can also extend the script by sleeping a couple seconds for the
> > rotation and then rename the file and/or compress it and/or move it to
> > another
> > directory or partition. Whatever you want to do.
> >
> >> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> >> will the auditd.cron which executes as service auditd rotate still
> >> function
> >> properly?*
> >
> > The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon
> > just
> > rotates the files. So, it has no bearing on the matter.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
Solution Architect, NA Public Sector

Re: auditd.cron

[Steve Grubb]

On Thursday, March 23, 2017 9:53:45 AM EDT Simon Sekidde wrote:
> ----- Original Message -----
> 
> > From: "Ed Christiansen MS" <edwardc@ll.mit.edu>
> > To: linux-audit@redhat.com
> > Sent: Thursday, March 23, 2017 9:28:34 AM
> > Subject: Re: auditd.cron
> > 
> > So, if I read this right, to implement an auditd log rotation that is
> > based on time one would:
> > 
> > 1. set num_logs to 0 in auditd.conf
> 
> This implies no rotation

Which is exactly what you want because the only setting checked to see if its 
time to rotate is the max_log_file setting.

> > 2. send SIGUSR1 to auditd based on your log rotation schedule.
>
> `service auditd rotate` will force a rotation

Yes, but it can be scripted without needing to use service if desired.

> > Are there any other nuances I need to take into consideration?

You might set max_log_file_action to ignore to avoid any syslog warnings. By 
using the SIGUSR1 method the logs will have a number appended to them and the 
audit utilities can still make sense of the order of log files.

If you choose to rename the files, then you will also need to make a script 
that understands the order and cats them into ausearch/report in the correct 
order if you still plan to use the native tools.

-Steve

> > On 3/22/2017 5:48 PM, Steve Grubb wrote:
> > > On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> > >> So, I needed a feature over 8 months ago, nobody could provide one for
> > >> the
> > >> 
> > >> following:
> > >>        Rolling log files either when they hit a certain size or the day
> > >> 
> > >> changed over at midnight.
> > >> 
> > >> I know that I could have rolled the files at a specific size, by using
> > >> the
> > >> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
> > >> but
> > >> there was no "builtin" for managing auto rotation at the start of a new
> > >> day
> > >> (0000 hrs).
> > >> 
> > >> It looks like there is a file called
> > >> */usr/share/doc/auditd-<**version>*
> > >> */auditd.cron*
> > >> 
> > >> *.*
> > >> To me*, *this file is new; considering I needed it 8 months ago.
> > > 
> > > Its over 9 years old.
> > > 
> > >> *Anyway, how is this file implemented?
> > > 
> > > https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd
> > > .cron
> > > 
> > > Its a shell script that end up sending SIGUSR1 to auditd. That causes
> > > auditd
> > > to rotate the files. But you would also configure auditd to not rotate
> > > files by
> > > setting num_logs to 0 in auditd.conf.
> > > 
> > >> * Simply move it to a directory with permissions to execute; ensure it
> > >> is
> > >> executable and then simply set up a cronjob to execute it at whatever
> > >> time
> > >> of day that I wish?
> > > 
> > > Yes. You can also extend the script by sleeping a couple seconds for the
> > > rotation and then rename the file and/or compress it and/or move it to
> > > another
> > > directory or partition. Whatever you want to do.
> > > 
> > >> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> > >> will the auditd.cron which executes as service auditd rotate still
> > >> function
> > >> properly?*
> > > 
> > > The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon
> > > just
> > > rotates the files. So, it has no bearing on the matter.
> > > 
> > > -Steve
> > > 
> > > --
> > > Linux-audit mailing list
> > > Linux-audit@redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit

Re: auditd.cron

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 1269 bytes --]

On Wed, Mar 22, 2017 at 5:19 PM, warron.french <warron.french@gmail.com>
wrote:

> So, I needed a feature over 8 months ago, nobody could provide one for the
> following:
>        Rolling log files either when they hit a certain size or the day
> changed over at midnight.
>
> I know that I could have rolled the files at a specific size, by using the
> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
> but there was no "builtin" for managing auto rotation at the start of a new
> day (0000 hrs).
>
> It looks like there is a file called */usr/share/doc/auditd-<**version>*
> */auditd.cron*
>
> *.*
> To me*, *this file is new; considering I needed it 8 months ago.
>
> *Anyway, how is this file implemented? * Simply move it to a directory
> with permissions to execute; ensure it is executable and then simply set up
> a cronjob to execute it at whatever time of day that I wish?
>
> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> will the auditd.cron which executes as service auditd rotate still function
> properly?*
>


Steve covered the important parts, but for more hand-holding:

How to implement audit log rotation with compression based on time instead
of size <https://access.redhat.com/solutions/661603>

[-- Attachment #1.2: Type: text/html, Size: 2136 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]