On Thursday, January 26, 2017 1:22:10 AM EDT Steve Grubb wrote: > Hello, > > On Wed, 25 Jan 2017 15:06:50 -0800 > > Bond Masuda <[email protected]> wrote: > > I configured space_left and space_left_action to run a script that > > compresses and moves older audit log files from /var/log/audit. It > > appears to work 1 time, and then doesn't work anymore until I kill > > the auditd daemon and start it again. > > > > Is this expected and/or desired behavior? I didn't see anything in > > the man pages about this behavior. I was hoping to have my script run > > every time the space_left threshold is hit so as to not run out of > > logging disk space. Is there something I can do to accomplish this? > > You may need to send SIGUSR2 to `pidof auditd` to reset the internal > counters. Let me know if that does not fix it.
I dug into this in detail today. I apologize for how long it took, but our QE guy showed me how to reproduce this without losing a couple years of audit logs I use for testing and research. In any event, your script must send sigusr2 to the audit daemon the man page documents this by saying to use "service auditd resume". SE Linux denies this by default. So, you might have an AVC. I'll open a bz against selinux policy to ask for allowance on this. But I did find one issue. When there is an exec action, auditd really should close its logging descriptor so that it's not writing to a deleted file. Then on SIGUSR2, it should re-open the descriptor. This was pushed into git today. So, the next release, which is tomorrow, will have a fix so that if your script sends SIGUSR2, auditd should behave in a more supportive way. Please test again once you have 2.7.4 and let me know if you have any problems. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
