RE: Linux-audit Digest, Vol 81, Issue 19

Why not set up a cron job that will copy the contents of the audit.log file and secure files to archive on a weekly basis? The files then could be overwritten with the /dev/null file. This will ensure that the data is captured in the event the autorotate fails. -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of linux-audit-request(a)redhat.com Sent: Thursday, June 30, 2011 12:00 PM To: linux-audit(a)redhat.com Subject: Linux-audit Digest, Vol 81, Issue 19 Send Linux-audit mailing list submissions to linux-audit(a)redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/linux-audit or, via email, send a message with subject or body 'help' to linux-audit-request(a)redhat.com You can reach the person managing the list at linux-audit-owner(a)redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Linux-audit digest..." Today's Topics: 1. Audit rotate vs log rotate questions (Dole, Patrick A.) 2. Re: Audit rotate vs log rotate questions (Steve Grubb) ---------------------------------------------------------------------- Message: 1 Date: Wed, 29 Jun 2011 18:10:44 -0500 From: "Dole, Patrick A." <Patrick.Dole(a)gd-ais.com&gt; To: &quot;linux-audit(a)redhat.com&quot; <linux-audit(a)redhat.com&gt; Subject: Audit rotate vs log rotate questions Message-ID: <5AE2942125A7394BB0DD5B9F32DF16921C0A1E10B9(a)EADC01-MABPRD11.ad.gd-ais.co m> Content-Type: text/plain; charset="us-ascii" Hi, I was hoping you could provide some help with audit rotation vs. logrotate I'm running REL 5 SElinux In my daily.con I have 2 cron jobs that I believe should manage the 'audit.log' file; audit.cron and logrotate My audit.cron includes: service auditd rotate Does this imply that the log always gets rotated, or is this based on other conditional checks? There are no other parameters in the audit.cron, so I don't see where 'max_log_size_action' or 'max_log_file_action' are checked. Here is my auditd.conf Also, I've read that cron doesn't like files with a period (.) in the name - is this an issue with REL 5? ... My Logrotate.conf is attached My logrotate.d contains this file: My basic questions is wouldn't the audit.cron, if it actually rotates the log, preclude the logrotate from properly capturing the right log files monthly? Also, if I wanted to ensure no audit.log data ever gets deleted, could I simply increase the 'rotate 12' statement to something like 'rotate 60' to keep 5 years of data (provided the disk doesn't get full). FYI, there is another utility that archives the log files and gives the user the option to delete files after they are archived. A response within a couple days, if possible, would be great. Thanks for your help. Pat Dole General Dynamics AIS