* RE: Linux-audit Digest, Vol 81, Issue 19
[not found] <mailman.61.1309449609.729.linux-audit@redhat.com>
@ 2011-06-30 17:21 ` Rye, Gene R.
2011-07-01 4:49 ` Jai Arun Kumar Sundaram
0 siblings, 1 reply; 2+ messages in thread
From: Rye, Gene R. @ 2011-06-30 17:21 UTC (permalink / raw)
To: linux-audit
Why not set up a cron job that will copy the contents of the audit.log
file and secure files to archive on a weekly basis? The files then
could be overwritten with the /dev/null file. This will ensure that the
data is captured in the event the autorotate fails.
-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of
linux-audit-request@redhat.com
Sent: Thursday, June 30, 2011 12:00 PM
To: linux-audit@redhat.com
Subject: Linux-audit Digest, Vol 81, Issue 19
Send Linux-audit mailing list submissions to
linux-audit@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request@redhat.com
You can reach the person managing the list at
linux-audit-owner@redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. Audit rotate vs log rotate questions (Dole, Patrick A.)
2. Re: Audit rotate vs log rotate questions (Steve Grubb)
----------------------------------------------------------------------
Message: 1
Date: Wed, 29 Jun 2011 18:10:44 -0500
From: "Dole, Patrick A." <Patrick.Dole@gd-ais.com>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Audit rotate vs log rotate questions
Message-ID:
<5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9@EADC01-MABPRD11.ad.gd-ais.co
m>
Content-Type: text/plain; charset="us-ascii"
Hi,
I was hoping you could provide some help with audit rotation vs.
logrotate
I'm running REL 5 SElinux
In my daily.con I have 2 cron jobs that I believe should manage the
'audit.log' file; audit.cron and logrotate
My audit.cron includes:
service auditd rotate
Does this imply that the log always gets rotated, or is this based on
other conditional checks?
There are no other parameters in the audit.cron, so I don't see where
'max_log_size_action' or 'max_log_file_action' are checked.
Here is my auditd.conf
Also, I've read that cron doesn't like files with a period (.) in the
name - is this an issue with REL 5?
...
My Logrotate.conf is attached
My logrotate.d contains this file:
My basic questions is wouldn't the audit.cron, if it actually rotates
the log, preclude the logrotate from properly capturing the right log
files monthly?
Also, if I wanted to ensure no audit.log data ever gets deleted, could I
simply increase the 'rotate 12' statement to something like 'rotate 60'
to keep 5 years of data (provided the disk doesn't get full).
FYI, there is another utility that archives the log files and gives the
user the option to delete files after they are archived.
A response within a couple days, if possible, would be great.
Thanks for your help.
Pat Dole
General Dynamics AIS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auditd.conf
Type: application/octet-stream
Size: 924 bytes
Desc: auditd.conf
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logrotate.conf
Type: application/octet-stream
Size: 529 bytes
Desc: logrotate.conf
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit
Type: application/octet-stream
Size: 536 bytes
Desc: audit
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment-0002.obj>
------------------------------
Message: 2
Date: Wed, 29 Jun 2011 19:55:05 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Dole, Patrick A." <Patrick.Dole@gd-ais.com>
Subject: Re: Audit rotate vs log rotate questions
Message-ID: <201106291955.05848.sgrubb@redhat.com>
Content-Type: Text/Plain; charset="iso-8859-15"
On Wednesday, June 29, 2011 07:10:44 PM Dole, Patrick A. wrote:
> I was hoping you could provide some help with audit rotation vs.
logrotate
>
> I'm running REL 5 SElinux
> In my daily.con I have 2 cron jobs that I believe should manage the
> 'audit.log' file; audit.cron and logrotate
>
> My audit.cron includes:
> service auditd rotate
>
> Does this imply that the log always gets rotated, or is this based on
other
> conditional checks?
This issues a signal to auditd and it immediately rotates without any
checks. If it
had rotated 1 second before you issue the rotate command because of file
size checks,
it would even rotate the empty audit log.
> There are no other parameters in the audit.cron, so I
> don't see where 'max_log_size_action' or 'max_log_file_action' are
> checked. Here is my auditd.conf
The audit daemon will rotate based on size in addition to the cron job
unless you set
max_log_size_action to ignore. This will make 1 big log file. If you
want it to rotate,
set the max_log_size appropriately and choose another setting.
> Also, I've read that cron doesn't like files with a period (.) in the
name
> - is this an issue with REL 5?
Offhand I have never heard such an issue, but I would think there should
be something
in the /var/log/messages file if it didn't like it.
> My basic questions is wouldn't the audit.cron, if it actually rotates
the
> log, preclude the logrotate from properly capturing the right log
files
> monthly?
Logrotate should not directly rotate the audit logs. I don't supply a
logrotate
configuration, but if I did it would call service auditd rotate so that
auditd performs
the action. The audit daemon has to fulfill certain service guarantees
that logrotate
does not care about. For example, if the audit disk partition gets full,
auditd can
take the system down. Logrotate never will. So, you have to let auditd
do its own
thing or you will have some issues.
> Also, if I wanted to ensure no audit.log data ever gets deleted,
> could I simply increase the 'rotate 12' statement to something like
> 'rotate 60' to keep 5 years of data (provided the disk doesn't get
full).
No, set the max_log_file_action to ignore. Note that this is a different
issue than what
I described as making 1 big file.
> FYI, there is another utility that archives the log files and gives
the
> user the option to delete files after they are archived.
There are probably people on this list that can tell you what they do. I
would suspect
they have a custom cron job.
-Steve
------------------------------
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 81, Issue 19
*******************************************
^ permalink raw reply [flat|nested] 2+ messages in thread
* RE: Linux-audit Digest, Vol 81, Issue 19
2011-06-30 17:21 ` Linux-audit Digest, Vol 81, Issue 19 Rye, Gene R.
@ 2011-07-01 4:49 ` Jai Arun Kumar Sundaram
0 siblings, 0 replies; 2+ messages in thread
From: Jai Arun Kumar Sundaram @ 2011-07-01 4:49 UTC (permalink / raw)
To: Rye, Gene R., linux-audit
Hey Rye, You are right. I have set tup the same in my environment. :)
Thanks & Regards
Jai Arun Kumar Sundaram
Mobile +91 962 022 1364
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Rye, Gene R.
Sent: Thursday, June 30, 2011 10:52 PM
To: linux-audit@redhat.com
Subject: RE: Linux-audit Digest, Vol 81, Issue 19
Why not set up a cron job that will copy the contents of the audit.log
file and secure files to archive on a weekly basis? The files then
could be overwritten with the /dev/null file. This will ensure that the
data is captured in the event the autorotate fails.
-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of
linux-audit-request@redhat.com
Sent: Thursday, June 30, 2011 12:00 PM
To: linux-audit@redhat.com
Subject: Linux-audit Digest, Vol 81, Issue 19
Send Linux-audit mailing list submissions to
linux-audit@redhat.com
To subscribe or unsubscribe via the World Wide Web, visit
https://www.redhat.com/mailman/listinfo/linux-audit
or, via email, send a message with subject or body 'help' to
linux-audit-request@redhat.com
You can reach the person managing the list at
linux-audit-owner@redhat.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Linux-audit digest..."
Today's Topics:
1. Audit rotate vs log rotate questions (Dole, Patrick A.)
2. Re: Audit rotate vs log rotate questions (Steve Grubb)
----------------------------------------------------------------------
Message: 1
Date: Wed, 29 Jun 2011 18:10:44 -0500
From: "Dole, Patrick A." <Patrick.Dole@gd-ais.com>
To: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Audit rotate vs log rotate questions
Message-ID:
<5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9@EADC01-MABPRD11.ad.gd-ais.co
m>
Content-Type: text/plain; charset="us-ascii"
Hi,
I was hoping you could provide some help with audit rotation vs.
logrotate
I'm running REL 5 SElinux
In my daily.con I have 2 cron jobs that I believe should manage the
'audit.log' file; audit.cron and logrotate
My audit.cron includes:
service auditd rotate
Does this imply that the log always gets rotated, or is this based on
other conditional checks?
There are no other parameters in the audit.cron, so I don't see where
'max_log_size_action' or 'max_log_file_action' are checked.
Here is my auditd.conf
Also, I've read that cron doesn't like files with a period (.) in the
name - is this an issue with REL 5?
...
My Logrotate.conf is attached
My logrotate.d contains this file:
My basic questions is wouldn't the audit.cron, if it actually rotates
the log, preclude the logrotate from properly capturing the right log
files monthly?
Also, if I wanted to ensure no audit.log data ever gets deleted, could I
simply increase the 'rotate 12' statement to something like 'rotate 60'
to keep 5 years of data (provided the disk doesn't get full).
FYI, there is another utility that archives the log files and gives the
user the option to delete files after they are archived.
A response within a couple days, if possible, would be great.
Thanks for your help.
Pat Dole
General Dynamics AIS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auditd.conf
Type: application/octet-stream
Size: 924 bytes
Desc: auditd.conf
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logrotate.conf
Type: application/octet-stream
Size: 529 bytes
Desc: logrotate.conf
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit
Type: application/octet-stream
Size: 536 bytes
Desc: audit
URL:
<https://www.redhat.com/archives/linux-audit/attachments/20110629/04384e
df/attachment-0002.obj>
------------------------------
Message: 2
Date: Wed, 29 Jun 2011 19:55:05 -0400
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Dole, Patrick A." <Patrick.Dole@gd-ais.com>
Subject: Re: Audit rotate vs log rotate questions
Message-ID: <201106291955.05848.sgrubb@redhat.com>
Content-Type: Text/Plain; charset="iso-8859-15"
On Wednesday, June 29, 2011 07:10:44 PM Dole, Patrick A. wrote:
> I was hoping you could provide some help with audit rotation vs.
logrotate
>
> I'm running REL 5 SElinux
> In my daily.con I have 2 cron jobs that I believe should manage the
> 'audit.log' file; audit.cron and logrotate
>
> My audit.cron includes:
> service auditd rotate
>
> Does this imply that the log always gets rotated, or is this based on
other
> conditional checks?
This issues a signal to auditd and it immediately rotates without any
checks. If it
had rotated 1 second before you issue the rotate command because of file
size checks,
it would even rotate the empty audit log.
> There are no other parameters in the audit.cron, so I
> don't see where 'max_log_size_action' or 'max_log_file_action' are
> checked. Here is my auditd.conf
The audit daemon will rotate based on size in addition to the cron job
unless you set
max_log_size_action to ignore. This will make 1 big log file. If you
want it to rotate,
set the max_log_size appropriately and choose another setting.
> Also, I've read that cron doesn't like files with a period (.) in the
name
> - is this an issue with REL 5?
Offhand I have never heard such an issue, but I would think there should
be something
in the /var/log/messages file if it didn't like it.
> My basic questions is wouldn't the audit.cron, if it actually rotates
the
> log, preclude the logrotate from properly capturing the right log
files
> monthly?
Logrotate should not directly rotate the audit logs. I don't supply a
logrotate
configuration, but if I did it would call service auditd rotate so that
auditd performs
the action. The audit daemon has to fulfill certain service guarantees
that logrotate
does not care about. For example, if the audit disk partition gets full,
auditd can
take the system down. Logrotate never will. So, you have to let auditd
do its own
thing or you will have some issues.
> Also, if I wanted to ensure no audit.log data ever gets deleted,
> could I simply increase the 'rotate 12' statement to something like
> 'rotate 60' to keep 5 years of data (provided the disk doesn't get
full).
No, set the max_log_file_action to ignore. Note that this is a different
issue than what
I described as making 1 big file.
> FYI, there is another utility that archives the log files and gives
the
> user the option to delete files after they are archived.
There are probably people on this list that can tell you what they do. I
would suspect
they have a custom cron job.
-Steve
------------------------------
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
End of Linux-audit Digest, Vol 81, Issue 19
*******************************************
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient, please
notify the sender by e-mail and delete the original message. Further, you are not
to copy, disclose, or distribute this e-mail or its contents to any other person and
any such actions are unlawful. This e-mail may contain viruses. Infosys has taken
every reasonable precaution to minimize this risk, but is not liable for any damage
you may sustain as a result of any virus in this e-mail. You should carry out your
own virus checks before opening the e-mail or attachment. Infosys reserves the
right to monitor and review the content of all messages sent to or from this e-mail
address. Messages sent to or from this e-mail address may be stored on the
Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-07-01 4:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <mailman.61.1309449609.729.linux-audit@redhat.com>
2011-06-30 17:21 ` Linux-audit Digest, Vol 81, Issue 19 Rye, Gene R.
2011-07-01 4:49 ` Jai Arun Kumar Sundaram
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.