On Mon, 2009-08-17 at 13:32 -0400, David Flatley wrote: > >> Lenny: > >> > >> I was going to move the rotated logs into /home/logs and use > "ausearch > >> -i -f /home/logs". > >> > >> > >> David Flatley CISSP > >> > >> > > >David, > > > >It won't work like that; exactly the issue I described: > > > >[r...@slim root]# mkdir logs-test > >[r...@slim root]# cd !$ > >cd logs-test > >[r...@slim logs-test]# auditctl -m "TEST message" > >[r...@slim logs-test]# service auditd rotate > >Rotating logs: [ OK ] > >[r...@slim logs-test]# cp /var/log/audit/audit.log.1 . > >[r...@slim logs-test]# ausearch -i -f `pwd` -m USER > ><no matches> > >[r...@slim logs-test]# grep TEST audit.log.1 > >node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191 > >uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST > message: > >exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 > res=success)' > > > > > >LCB. > > UGH this is a wrench in the works... > I was hoping to grab all the rotated logs, process them while still > allowing audit > to run with no interruptions. Problem I run into is I run ausearch -i > > /tmp/file and then > do ausearch -i /nfs/file with auditd stopped, then compare files and > if they are the same in > size then delete the /tmp/file. I do this to make sure I get the log > in the nfs archive directory > and the /tmp is a backup if there is a problem. If audit is running > there is no way the files will > be equal in size while processing the /var/log/audit data in two > different intervals.
It's a problem for me too. I was thinking about just patching the ausearch code to behave as desired...but hoping Steve beat me to it so there was a greatly reduced chance of bad code... :) As for the archive issue, what I am planning is to make a snapshot of my current audit log directory (technically the partition on which this lives; that's another SECSCN issue), then rsync the snapshot over to a backup server (via crossover network connection) and finally release the snap mount. Then I do not have to compare file sizes ... and really the size is only one indicator of correctness. You'd probably need a checksum activity. LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
