audit 0.6 release

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jan 6 22:17:09 UTC 2005


On Thu, 06 Jan 2005 15:52:50 CST, "Browder, Tom" said:

> 4.  You mention log rotation in TODO, can't the system logrotate handle
> it (through the /etc/logrotate.conf file)?

logrotate doesn't do a very good job of handling "roll to next file when this
one is 40M in size", because the cron job is probably not running at the time
that the log gets to 40M.  The semantics of "rotate at 2AM if it's over 40M
then" are quite different from "rotate at current clocktime 11:37AM if we hit
40M then...".

Also, in a priv-separated environment, only the "security officer" role should
be allowed to remove an audit file (while logrotate's "rotate" command will rm
the oldest one if/when needed).  So you probably need to use *two* logrotate
instances with separate config files, one for your system logs running in the
"admin" role, and another for the audit logs running in the "security officer"
role.  In an SELinux environment, you'd probably need a dummy front-end that
runs logrotate, and have an exec_auto_trans() to put the front end into the
correct security context....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050106/128104e8/attachment.sig>


More information about the Linux-audit mailing list