1

We recently realized that our current configuration for auditd was causing our /var/log/audit filesystem to become full so I started to play around with the /etc/audit/auditd.conf file to try to fix that. I modified the conf file to look like this:

#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 4 max_log_file_action = ROTATE space_left = 75 space_left_action = email action_mail_acct = root admin_space_left = 50 admin_space_left_action = halt disk_full_action = SUSPEND disk_error_action = SUSPEND ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key

But the files in /var/log/audit are still becoming larger than what is set in max_log_file (size in MB)

root@my-server:~# ls -lah /var/log/audit/
total 18M
drwx------  3 root root   3.0K Apr 22 13:17 .
drwxrwxr-x 12 root syslog 4.0K Apr 22 03:13 ..
-rw-------  1 root root   4.2M Apr 22 13:35 audit.log
-r--------  1 root root   4.1M Apr 22 13:17 audit.log.1
-r--------  1 root root   4.0M Apr 22 11:22 audit.log.2
-r--------  1 root root   5.0M Apr 22 11:39 audit.log.3
drwx------  2 root root    12K Feb  4 10:44 lost+found

The one that is 4.0M I rotated manually by running auditd by itself. While troubleshooting this it lead me to wonder, what is watching this directory that sends the notification to auditd to rotate the logs when the current audit.log is at the maximum size? The only process that's running that I found that I think could be doing that is

root      149689  0.0  0.2  11580  2568 ?        S<sl 11:43   0:00 /sbin/auditd -n

But it doesn't seem to be working how I think it should.

  • -h would say around 4.1M, it should be 4194304 or a few hundreds more or less, which seems OK for the 3 newer files. The older file, could be created before you change the configuration, are you sure it's not? After waiting for some time, do all go to ~4.1? – thanasisp Apr 23 '22 at 01:00
  • Also auditd is watching its log dir, I don't think there is anyone in the middle.. – thanasisp Apr 23 '22 at 01:04
  • @thanasisp - I let it sit over the weekend and the same audit.log that was at 4.2M has now grown to 6.7M, I was hoping I was just being impatient with it. I'm thinking I must have it misconfigured somewhere. – Zack Schmidt Apr 25 '22 at 13:20

0 Answers0