Is there a reason not to include /var/log/audit/audit.log in the logrotate regime? If not, what would need to go in a logrotate script to get selinux to start a new log file?
Thanks.
Is there a reason not to include /var/log/audit/audit.log in the logrotate regime?
Yes, CAPP has requirements that all audit failures be handled appropriately. This includes an error rotating logs. The audit daemon handles its own log rotation.
Hope this helps...
-Steve
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
On Mon, 24 Oct 2005, Steve G wrote:
Is there a reason not to include /var/log/audit/audit.log in the logrotate regime?
Yes, CAPP has requirements that all audit failures be handled appropriately. This includes an error rotating logs. The audit daemon handles its own log rotation.
Hope this helps...
Thanks. The only thing it didn't explain is why I never see rotated audit logs. Since installing FC4, I've only ever seen a single audit.log, now up to almost 8MB.
I was going to ask if there is config setting someplace, but I found it and I see that it rotates at 8MB. My confusion was that it never seemed to get rotated with the other logs.
-Steve
Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Steve G wrote:
Is there a reason not to include /var/log/audit/audit.log in the logrotate regime?
Yes, CAPP has requirements that all audit failures be handled appropriately. This includes an error rotating logs. The audit daemon handles its own log rotation.
Hope this helps...
-Steve
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Is there something other than the size of the logfile that can be used to cause the rotation? Would an RFE for a command to the deamon to cause a rotation be appropriate? How about something in the config file to tell it "daily" or similar?
Thanks Richard Hally
Is there something other than the size of the logfile that can be used to cause the rotation?
Not at this point. Would you need this to archive files or to reduce disk space consumption? I'm curious about what problem this would alleviate.
Would an RFE for a command to the deamon to cause a rotation be appropriate?
Not necessarily. Just tell me why you want this and I might be able to put it in.
-Steve
__________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com
On 10/25/05, Steve G linux_4ever@yahoo.com wrote:
Is there something other than the size of the logfile that can be used to cause the rotation?
Not at this point. Would you need this to archive files or to reduce disk space consumption? I'm curious about what problem this would alleviate.
The problems I can see are:
1) A set policy of log rotation. One area I know of needs to be able to rotate the logs every 24 hours so that they can be archived on a special media. 2) The audit logs are huge and stick out as a visual eye popper if you are looking in /var/log. The standard training for a sysadmin is to look for files that are largers than a certain size and look through them for problems. 3) Some Incremental backup programs can go wonky on large text files. This shows up a lot on remote backups where the backup is done via a seek through the file to see where the changes are. [some of these programs could use the minimal rsync algorithms..] but they seem to be things that sites with policies have to work around versus getting a fix.
-- Stephen J Smoogen. CSIRT/Linux System Administrator
On Wed, 26 Oct 2005, Stephen J. Smoogen wrote:
On 10/25/05, Steve G linux_4ever@yahoo.com wrote:
Is there something other than the size of the logfile that can be used to cause the rotation?
Not at this point. Would you need this to archive files or to reduce disk space consumption? I'm curious about what problem this would alleviate.
The problems I can see are:
- A set policy of log rotation. One area I know of needs to be able
to rotate the logs every 24 hours so that they can be archived on a special media. 2) The audit logs are huge and stick out as a visual eye popper if you are looking in /var/log. The standard training for a sysadmin is to look for files that are largers than a certain size and look through them for problems.
The "principle of least surprise" would seem to dictate that audit log rotation follow the standard policy for logrotate, rotating nightly or weekly. The failure of audit.log to follow that policy is what prompted my question in the first place.
- Some Incremental backup programs can go wonky on large text files.
This shows up a lot on remote backups where the backup is done via a seek through the file to see where the changes are. [some of these programs could use the minimal rsync algorithms..] but they seem to be things that sites with policies have to work around versus getting a fix.
-- Stephen J Smoogen. CSIRT/Linux System Administrator
- A set policy of log rotation. One area I know of needs to be able
to rotate the logs every 24 hours so that they can be archived on a special media.
This sounds like a good reason. Consider it done. I'll schedule this feature for something in the 1.1.x development series.
Thanks, -Steve
__________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Is there something other than the size of the logfile that can be used to cause the rotation? Would an RFE for a command to the deamon to cause a rotation be appropriate? How about something in the config file to tell it "daily" or similar?
OK. I thought about this problem. Keeping track of time and deciding when to rotate is an ugly problem. What I decided to do is make sigusr1 force a rotation of the logs.
I added a rotate command to the initscript so that you can do "service auditd rotate". Then I created a small script that is stored in the docs directory, /usr/share/doc/audit-1.0.10/auditd.cron, since I don't want it installed by default. The script is intended to be used with cron so that you can force a rotation at whatever is convenient - daily, weekly, every 12 hours.
I would also like to point out that if you are wanting to see what time ranges are contained in the logs, you just run "aureport -t".
The changes are in audit-1.0.10-1 which is in rawhide. If there are no problems reported with that release, I will roll it out for FC4 next week. Please let me know if there are any problems with this scheme.
-Steve
__________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs
On 11/5/05, Steve G linux_4ever@yahoo.com wrote:
Is there something other than the size of the logfile that can be used to cause the rotation? Would an RFE for a command to the deamon to cause a rotation be appropriate? How about something in the config file to tell it "daily" or similar?
OK. I thought about this problem. Keeping track of time and deciding when to rotate is an ugly problem. What I decided to do is make sigusr1 force a rotation of the logs.
I added a rotate command to the initscript so that you can do "service auditd rotate". Then I created a small script that is stored in the docs directory, /usr/share/doc/audit-1.0.10/auditd.cron, since I don't want it installed by default. The script is intended to be used with cron so that you can force a rotation at whatever is convenient - daily, weekly, every 12 hours.
Wouldnt it be better to add this to logrotate? There are several programs that get rotated and get a signal to them to get to a new log. The details being getting the signal without losing events or soemthing.. need more sleep.
-- Stephen J Smoogen. CSIRT/Linux System Administrator
selinux@lists.fedoraproject.org