Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   force audit log rotation? (http://www.linux-archive.org/fedora-selinux-support/654529-force-audit-log-rotation.html)

Dominick Grift 04-10-2012 01:48 PM

force audit log rotation?
 
On Tue, 2012-04-10 at 08:26 -0400, Dr. Michael J. Chudobiak wrote:
> Hi all,
>
> How do I force an audit.log rotation in a systemd world (F16)?
>
> "service auditd rotate" no longer works, of course.
>
> - Mike

This seems to work for me:

systemctl kill -s SIGUSR1 auditd.service

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frank Murphy 04-10-2012 02:06 PM

force audit log rotation?
 
On 10/04/12 14:48, Dominick Grift wrote:


This seems to work for me:

systemctl kill -s SIGUSR1 auditd.service



Didn't work for me,

but I modified the auditd.cron daily job to:
mv /var/log/audit/audit.log /var/log/audit/audit.old
touch /var/log/audit/audit.log

Now as I'm not a bash guru,
If I could figure a way to date audit.old*

--
Regards,
Frank
"Jack of all, fubars"
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-10-2012 02:10 PM

force audit log rotation?
 
On Tue, 2012-04-10 at 15:06 +0100, Frank Murphy wrote:
> On 10/04/12 14:48, Dominick Grift wrote:
>
> > This seems to work for me:
> >
> > systemctl kill -s SIGUSR1 auditd.service
> >
>
> Didn't work for me,
>
> but I modified the auditd.cron daily job to:
> mv /var/log/audit/audit.log /var/log/audit/audit.old
> touch /var/log/audit/audit.log
>
> Now as I'm not a bash guru,
> If I could figure a way to date audit.old*
>

Thats not going to work because auditd is not going to like the
permissions on the new audit.log.

Really though it works for me:

[root@q9000 system]# ps auxZ | grep auditd
system_u:system_r:kernel_t:s0 root 429 0.0 0.0 0 0 ?
S Mar31 0:00 [kauditd]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 dominick 2303 0.0
0.0 115160 2984 pts/1 S+ 15:31 0:00
nano /usr/share/doc/audit-2.2.1/auditd.cron
system_u:system_r:auditd_t:s0 root 2327 0.0 0.0 91740 1084 ?
S<sl 15:35 0:00 /sbin/auditd -n
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2582 0.0 0.0
109396 912 pts/0 S+ 16:08 0:00 grep --color=auto auditd
[root@q9000 system]# ls -l /var/log/audit
total 3940
-rw-------. 1 root root 1597 Apr 10 16:01 audit.log
-r--------. 1 root root 4024961 Apr 10 15:36 audit.log.1
[root@q9000 system]# systemctl kill -s SIGUSR1 auditd.service
[root@q9000 system]# ps auxZ | grep auditd
system_u:system_r:kernel_t:s0 root 429 0.0 0.0 0 0 ?
S Mar31 0:00 [kauditd]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 dominick 2303 0.0
0.0 115160 2984 pts/1 S+ 15:31 0:00
nano /usr/share/doc/audit-2.2.1/auditd.cron
system_u:system_r:auditd_t:s0 root 2327 0.0 0.0 91740 1088 ?
S<sl 15:35 0:00 /sbin/auditd -n
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2598 0.0 0.0
109396 916 pts/0 S+ 16:08 0:00 grep --color=auto auditd
[root@q9000 system]# ls -l /var/log/audit
total 3944
-rw-------. 1 root root 112 Apr 10 16:08 audit.log
-r--------. 1 root root 1597 Apr 10 16:01 audit.log.1
-r--------. 1 root root 4024961 Apr 10 15:36 audit.log.2


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-10-2012 03:08 PM

force audit log rotation?
 
On Tue, 2012-04-10 at 15:48 +0200, Dominick Grift wrote:
> On Tue, 2012-04-10 at 08:26 -0400, Dr. Michael J. Chudobiak wrote:
> > Hi all,
> >
> > How do I force an audit.log rotation in a systemd world (F16)?
> >
> > "service auditd rotate" no longer works, of course.
> >
> > - Mike
>
> This seems to work for me:
>
> systemctl kill -s SIGUSR1 auditd.service
>

I think that auditd.cron needs to be edited:

# diff
-u /usr/share/doc/audit-2.2.1/auditd.cron /etc/cron.hourly/auditd.cron
--- /usr/share/doc/audit-2.2.1/auditd.cron 2012-03-23 13:42:39.000000000
+0100
+++ /etc/cron.hourly/auditd.cron 2012-04-10 16:51:11.813528608 +0200
@@ -5,7 +5,9 @@
# based on a cron job.
##########

-/sbin/service auditd rotate
+# /sbin/service auditd rotate
+systemctl kill -s SIGUSR1 auditd.service
+
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t auditd "ALERT exited abnormally with
[$EXITVALUE]"




> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

"Dr. Michael J. Chudobiak" 04-17-2012 02:40 PM

force audit log rotation?
 
On 04/10/2012 09:48 AM, Dominick Grift wrote:


How do I force an audit.log rotation in a systemd world (F16)?


systemctl kill -s SIGUSR1 auditd.service


Thanks, that does the trick.

- Mike
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 03:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.