space_left_action=exec only works once?

[Steve Grubb]

On Thursday, January 26, 2017 1:22:10 AM EDT Steve Grubb wrote:
> Hello,
> 
> On Wed, 25 Jan 2017 15:06:50 -0800
> 
> Bond Masuda <bond.masuda at jlbond.com> wrote:
> > I configured space_left and space_left_action to run a script that
> > compresses and moves older audit log files from /var/log/audit. It
> > appears to work 1 time, and then doesn't work anymore until I kill
> > the auditd daemon and start it again.
> > 
> > Is this expected and/or desired behavior? I didn't see anything in
> > the man pages about this behavior. I was hoping to have my script run
> > every time the space_left threshold is hit so as to not run out of
> > logging disk space. Is there something I can do to accomplish this?
> 
> You may need to send SIGUSR2 to `pidof auditd` to reset the internal
> counters. Let me know if that does not fix it.

I dug into this in detail today. I apologize for how long it took, but our QE 
guy showed me how to reproduce this without losing a couple years of audit 
logs I use for testing and research.

In any event, your script must send sigusr2 to the audit daemon the man page 
documents this by saying to use "service auditd resume". SE Linux denies this 
by default. So, you might have an AVC. I'll open a bz against selinux policy 
to ask for allowance on this.

But I did find one issue. When there is an exec action, auditd really should 
close its logging descriptor so that it's not writing to a deleted file. Then 
on SIGUSR2, it should re-open the descriptor. This was pushed into git today. 
So, the next release, which is tomorrow, will have a fix so that if your script 
sends SIGUSR2, auditd should behave in a more supportive way.

Please test again once you have 2.7.4 and let me know if you have any 
problems.

-Steve