On Thursday, January 26, 2017 1:22:10 AM EDT Steve Grubb wrote:
Hello,
On Wed, 25 Jan 2017 15:06:50 -0800
Bond Masuda <bond.masuda(a)jlbond.com> wrote:
> I configured space_left and space_left_action to run a script that
> compresses and moves older audit log files from /var/log/audit. It
> appears to work 1 time, and then doesn't work anymore until I kill
> the auditd daemon and start it again.
>
> Is this expected and/or desired behavior? I didn't see anything in
> the man pages about this behavior. I was hoping to have my script run
> every time the space_left threshold is hit so as to not run out of
> logging disk space. Is there something I can do to accomplish this?
You may need to send SIGUSR2 to `pidof auditd` to reset the internal
counters. Let me know if that does not fix it.
I dug into this in detail today. I apologize for how long it took, but our QE
guy showed me how to reproduce this without losing a couple years of audit
logs I use for testing and research.
In any event, your script must send sigusr2 to the audit daemon the man page
documents this by saying to use "service auditd resume". SE Linux denies this
by default. So, you might have an AVC. I'll open a bz against selinux policy
to ask for allowance on this.
But I did find one issue. When there is an exec action, auditd really should
close its logging descriptor so that it's not writing to a deleted file. Then
on SIGUSR2, it should re-open the descriptor. This was pushed into git today.
So, the next release, which is tomorrow, will have a fix so that if your script
sends SIGUSR2, auditd should behave in a more supportive way.
Please test again once you have 2.7.4 and let me know if you have any
problems.
-Steve