So, if I read this right, to implement an auditd log rotation that is based on time one would:

1. set num_logs to 0 in auditd.conf

2. send SIGUSR1 to auditd based on your log rotation schedule.

Are there any other nuances I need to take into consideration?

On 3/22/2017 5:48 PM, Steve Grubb wrote:
On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
So, I needed a feature over 8 months ago, nobody could provide one for the
following:
       Rolling log files either when they hit a certain size or the day
changed over at midnight.

I know that I could have rolled the files at a specific size, by using the
*max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
there was no "builtin" for managing auto rotation at the start of a new day
(0000 hrs).

It looks like there is a file called */usr/share/doc/auditd-<**version>*
*/auditd.cron*

*.*
To me*, *this file is new; considering I needed it 8 months ago.

Its over 9 years old.

*Anyway, how is this file implemented?

https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.cron

Its a shell script that end up sending SIGUSR1 to auditd. That causes auditd
to rotate the files. But you would also configure auditd to not rotate files by
setting num_logs to 0 in auditd.conf.

* Simply move it to a directory with permissions to execute; ensure it is
executable and then simply set up a cronjob to execute it at whatever time
of day that I wish?

Yes. You can also extend the script by sleeping a couple seconds for the
rotation and then rename the file and/or compress it and/or move it to another
directory or partition. Whatever you want to do.

*Finally, if I have '-e 2' as the last control in the audit.rules file;
will the auditd.cron which executes as service auditd rotate still function
properly?*

The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon just
rotates the files. So, it has no bearing on the matter.

-Steve

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to