Logrotate and Audit Log Rotation
Steve Grubb
sgrubb at redhat.com
Wed Nov 14 13:54:13 UTC 2012
On Wednesday, November 14, 2012 12:52:31 PM Paul Whitney wrote:
> On RHEL 6 I am able to use the logrotate facility and compress logs using
> bzip2. However, when I try to use a similar method on RHEL 5, the auditd
> service fails to restart after the logrotate service rotates and compresses
> the rotated log file.
>
> I found a post by Steve Grubb posted on 29 JUN 2011:
>
> "Logrotate should not directly rotate the audit logs. I don't supply a
> logrotate configuration, but if I did it would call service auditd rotate
> so that auditd performs the action. The audit daemon has to fulfill certain
> service guarantees that logrotate does not care about. For example, if the
> audit disk partition gets full, auditd can take the system down. Logrotate
> never will. So, you have to let auditd do its own thing or you will have
> some issues."
>
> Is this still the case?
Yes, it will always be the case. Logrotate does not understand the security
requirements imposed by common criteria. You can either rotate on a cron job
(an example script is shipped) or write a logrotate script that sends SIGUSR1
to auditd.
-Steve
More information about the Linux-audit
mailing list