From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditd.cron
Date: Wed, 22 Mar 2017 17:48:02 -0400
Message-ID: <4399543.tYVMYjfBej@x2>
References: <CAJdJdQk5oOLRHPsyJLbcGqzFy02uavgoKJh415QtrMLbMGbxgA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-236-165.phx2.redhat.com [10.3.236.165])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id AA6647EFFA
	for <linux-audit@redhat.com>; Wed, 22 Mar 2017 21:48:01 +0000 (UTC)
In-Reply-To: <CAJdJdQk5oOLRHPsyJLbcGqzFy02uavgoKJh415QtrMLbMGbxgA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> So, I needed a feature over 8 months ago, nobody could provide one for the
> following:
>        Rolling log files either when they hit a certain size or the day
> changed over at midnight.
> 
> I know that I could have rolled the files at a specific size, by using the
> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
> there was no "builtin" for managing auto rotation at the start of a new day
> (0000 hrs).
> 
> It looks like there is a file called */usr/share/doc/auditd-<**version>*
> */auditd.cron*
> 
> *.*
> To me*, *this file is new; considering I needed it 8 months ago.

Its over 9 years old.

> *Anyway, how is this file implemented? 

https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.cron

Its a shell script that end up sending SIGUSR1 to auditd. That causes auditd 
to rotate the files. But you would also configure auditd to not rotate files by 
setting num_logs to 0 in auditd.conf.

> * Simply move it to a directory with permissions to execute; ensure it is
> executable and then simply set up a cronjob to execute it at whatever time
> of day that I wish?

Yes. You can also extend the script by sleeping a couple seconds for the 
rotation and then rename the file and/or compress it and/or move it to another 
directory or partition. Whatever you want to do.

> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> will the auditd.cron which executes as service auditd rotate still function
> properly?*

The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon just 
rotates the files. So, it has no bearing on the matter.

-Steve