force audit log rotation?

Dominick Grift dominick.grift at gmail.com
Tue Apr 10 14:10:24 UTC 2012


On Tue, 2012-04-10 at 15:06 +0100, Frank Murphy wrote:
> On 10/04/12 14:48, Dominick Grift wrote:
> 
> > This seems to work for me:
> >
> > systemctl kill -s SIGUSR1 auditd.service
> >
> 
> Didn't work for me,
> 
> but I modified the auditd.cron daily job to:
> mv /var/log/audit/audit.log /var/log/audit/audit.old
> touch /var/log/audit/audit.log
> 
> Now as I'm not a bash guru,
> If I could figure a way to date audit.old*
> 

Thats not going to work because auditd is not going to like the
permissions on the new audit.log.

Really though it works for me:

[root at q9000 system]# ps auxZ | grep auditd
system_u:system_r:kernel_t:s0   root       429  0.0  0.0      0     0 ?
S    Mar31   0:00 [kauditd]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 dominick 2303 0.0
0.0 115160 2984 pts/1 S+ 15:31   0:00
nano /usr/share/doc/audit-2.2.1/auditd.cron
system_u:system_r:auditd_t:s0   root      2327  0.0  0.0  91740  1084 ?
S<sl 15:35   0:00 /sbin/auditd -n
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2582 0.0  0.0
109396 912 pts/0 S+ 16:08   0:00 grep --color=auto auditd
[root at q9000 system]# ls -l /var/log/audit
total 3940
-rw-------. 1 root root    1597 Apr 10 16:01 audit.log
-r--------. 1 root root 4024961 Apr 10 15:36 audit.log.1
[root at q9000 system]# systemctl kill -s SIGUSR1 auditd.service
[root at q9000 system]# ps auxZ | grep auditd
system_u:system_r:kernel_t:s0   root       429  0.0  0.0      0     0 ?
S    Mar31   0:00 [kauditd]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 dominick 2303 0.0
0.0 115160 2984 pts/1 S+ 15:31   0:00
nano /usr/share/doc/audit-2.2.1/auditd.cron
system_u:system_r:auditd_t:s0   root      2327  0.0  0.0  91740  1088 ?
S<sl 15:35   0:00 /sbin/auditd -n
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2598 0.0  0.0
109396 916 pts/0 S+ 16:08   0:00 grep --color=auto auditd
[root at q9000 system]# ls -l /var/log/audit
total 3944
-rw-------. 1 root root     112 Apr 10 16:08 audit.log
-r--------. 1 root root    1597 Apr 10 16:01 audit.log.1
-r--------. 1 root root 4024961 Apr 10 15:36 audit.log.2




More information about the selinux mailing list