audit log still getting rotated even with max_log_file_action = ignore?
by Bond Masuda
I'm seeing my /var/log/audit/audit.log getting rotated (I find a audit.1
or audit.2, etc. file) even though I have max_log_file_action=ignore.
Here's the full auditd.conf:
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 6
max_log_file_action = ignore
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = exec /usr/local/bin/remove_oldest_audit_log
disk_full_action = exec /usr/local/bin/remove_oldest_audit_log
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
what am I missing?
I have a cron job in /etc/cron.daily/auditd that I use to rotate +
compress the audit logs, but this is not what is causing the audit log
rotation.
Is there another setting I must set in order for it to not automatically
rotate the audit log? How do I achieve the desired effect, where the
audit log is only rotated when my cron script runs?
Thanks,
Bond
8 years, 11 months
SELinux policy reload cannot be sent to audit system
by Laurent Bigonville
Hi,
With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
dbus daemon is complaining with the following message:
nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
sauid=102 hostname=? addr=? terminal=?
This is the system dbus daemon running as "messagebus":
message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11
/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
--systemd-activation
Looking at the capabilities:
$ sudo getpcaps 1057
Capabilities for `1057': = cap_audit_write+ep
All other user_avc seems to be properly logged in audit.
An idea?
Cheers,
Laurent Bigonville
8 years, 12 months
[RFC PATCH] audit: remove audit_backlog_wait_overflow
by Paul Moore
It seems much more obvious and readable to simply use "0".
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
kernel/audit.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 5a3ae37..6b4ae65 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -110,7 +110,6 @@ static u32 audit_backlog_limit = 64;
#define AUDIT_BACKLOG_WAIT_TIME (60 * HZ)
static u32 audit_backlog_wait_time_master = AUDIT_BACKLOG_WAIT_TIME;
static u32 audit_backlog_wait_time = AUDIT_BACKLOG_WAIT_TIME;
-static u32 audit_backlog_wait_overflow = 0;
/* The identity of the user shutting down the audit system. */
kuid_t audit_sig_uid = INVALID_UID;
@@ -1395,7 +1394,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
skb_queue_len(&audit_skb_queue),
audit_backlog_limit);
audit_log_lost("backlog limit exceeded");
- audit_backlog_wait_time = audit_backlog_wait_overflow;
+ audit_backlog_wait_time = 0;
wake_up(&audit_backlog_wait);
return NULL;
}
8 years, 12 months
[GIT PULL] Audit patches for 4.4
by Paul Moore
Hi Linus,
Seven audit patches for 4.4, but really only one of any significant value, the
remainder are trivial cleanups that are described well enough in the patch
descriptions. The one significant patch is an attempt to make communication
between the kernel's audit subsystem and the userspace audit daemon a bit more
robust by retrying on certain transient error conditions. All in all, it's a
pretty small set of patches this time around with just fixes and cleanups,
please pull for 4.4.
Thanks,
-Paul
---
The following changes since commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861:
Linux 4.3 (2015-11-01 16:05:25 -0800)
are available in the git repository at:
git://git.infradead.org/users/pcmoore/audit upstream
for you to fetch changes up to 233a68667cf4c134d07ef7e22bdd77786b5c7360:
audit: make audit_log_common_recv_msg() a void function
(2015-11-04 08:23:52 -0500)
----------------------------------------------------------------
Paul Moore (1):
audit: make audit_log_common_recv_msg() a void function
Richard Guy Briggs (1):
audit: try harder to send to auditd upon netlink failure
Saurabh Sengar (1):
audit: removing unused variable
Scott Matheina (1):
audit: fix comment block whitespace
Yaowei Bai (3):
audit: audit_dummy_context can be boolean
audit: audit_string_contains_control can be boolean
audit: audit_tree_match can be boolean
include/linux/audit.h | 8 ++++----
kernel/audit.c | 42 ++++++++++++++++++++++++++++--------------
kernel/audit.h | 2 +-
kernel/audit_tree.c | 6 +++---
kernel/auditfilter.c | 14 +++++++-------
5 files changed, 43 insertions(+), 29 deletions(-)
--
paul moore
security @ redhat
8 years, 12 months