Audit rotate vs log rotate questions

Dole, Patrick A. Patrick.Dole at gd-ais.com
Wed Jun 29 23:10:44 UTC 2011 

Hi,
I was hoping you could provide some help with audit rotation vs. logrotate

I'm running REL 5 SElinux
In my daily.con I have 2 cron jobs that I believe should manage the 'audit.log' file; audit.cron and logrotate

My audit.cron includes:
        service auditd rotate

Does this imply that the log always gets rotated, or is this based on other conditional checks?
There are no other parameters in the audit.cron, so I don't see where 'max_log_size_action' or  'max_log_file_action' are checked.
Here is my auditd.conf


Also, I've read that cron doesn't like files with a period (.) in the name - is this an issue with REL 5?

...

My Logrotate.conf is attached


My logrotate.d contains this file:



My basic questions is wouldn't the audit.cron, if it actually rotates the log, preclude the logrotate from properly capturing the right log files monthly?
Also, if I wanted to ensure no audit.log data ever gets deleted, could I simply increase the 'rotate 12' statement to something like 'rotate 60' to keep 5 years of data (provided the disk doesn't get full).

FYI, there is another utility that archives  the log files and gives the user the option to delete files after they are archived.

A response within a couple days, if possible, would be great.
Thanks for your help.

Pat Dole
General Dynamics AIS


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110629/04384edf/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: auditd.conf
Type: application/octet-stream
Size: 924 bytes
Desc: auditd.conf
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110629/04384edf/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logrotate.conf
Type: application/octet-stream
Size: 529 bytes
Desc: logrotate.conf
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110629/04384edf/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit
Type: application/octet-stream
Size: 536 bytes
Desc: audit
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110629/04384edf/attachment-0002.obj>

More information about the Linux-audit mailing list