force audit log rotation?
Dominick Grift
dominick.grift at gmail.com
Tue Apr 10 14:10:24 UTC 2012
On Tue, 2012-04-10 at 15:06 +0100, Frank Murphy wrote:
> On 10/04/12 14:48, Dominick Grift wrote:
>
> > This seems to work for me:
> >
> > systemctl kill -s SIGUSR1 auditd.service
> >
>
> Didn't work for me,
>
> but I modified the auditd.cron daily job to:
> mv /var/log/audit/audit.log /var/log/audit/audit.old
> touch /var/log/audit/audit.log
>
> Now as I'm not a bash guru,
> If I could figure a way to date audit.old*
>
Thats not going to work because auditd is not going to like the
permissions on the new audit.log.
Really though it works for me:
[root at q9000 system]# ps auxZ | grep auditd
system_u:system_r:kernel_t:s0 root 429 0.0 0.0 0 0 ?
S Mar31 0:00 [kauditd]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 dominick 2303 0.0
0.0 115160 2984 pts/1 S+ 15:31 0:00
nano /usr/share/doc/audit-2.2.1/auditd.cron
system_u:system_r:auditd_t:s0 root 2327 0.0 0.0 91740 1084 ?
S<sl 15:35 0:00 /sbin/auditd -n
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2582 0.0 0.0
109396 912 pts/0 S+ 16:08 0:00 grep --color=auto auditd
[root at q9000 system]# ls -l /var/log/audit
total 3940
-rw-------. 1 root root 1597 Apr 10 16:01 audit.log
-r--------. 1 root root 4024961 Apr 10 15:36 audit.log.1
[root at q9000 system]# systemctl kill -s SIGUSR1 auditd.service
[root at q9000 system]# ps auxZ | grep auditd
system_u:system_r:kernel_t:s0 root 429 0.0 0.0 0 0 ?
S Mar31 0:00 [kauditd]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 dominick 2303 0.0
0.0 115160 2984 pts/1 S+ 15:31 0:00
nano /usr/share/doc/audit-2.2.1/auditd.cron
system_u:system_r:auditd_t:s0 root 2327 0.0 0.0 91740 1088 ?
S<sl 15:35 0:00 /sbin/auditd -n
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2598 0.0 0.0
109396 916 pts/0 S+ 16:08 0:00 grep --color=auto auditd
[root at q9000 system]# ls -l /var/log/audit
total 3944
-rw-------. 1 root root 112 Apr 10 16:08 audit.log
-r--------. 1 root root 1597 Apr 10 16:01 audit.log.1
-r--------. 1 root root 4024961 Apr 10 15:36 audit.log.2
More information about the selinux
mailing list