我们最近意识到我们当前的auditd配置导致我们的/var/log/audit文件系统变满,所以我开始使用/etc/audit/auditd.conf文件来尝试修复这个问题。我修改了conf文件,如下所示:
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 4
max_log_file_action = ROTATE
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = halt
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
但 /var/log/audit 中的文件仍然比 max_log_file 中设置的文件大(大小以 MB 为单位)
root@my-server:~# ls -lah /var/log/audit/
total 18M
drwx------ 3 root root 3.0K Apr 22 13:17 .
drwxrwxr-x 12 root syslog 4.0K Apr 22 03:13 ..
-rw------- 1 root root 4.2M Apr 22 13:35 audit.log
-r-------- 1 root root 4.1M Apr 22 13:17 audit.log.1
-r-------- 1 root root 4.0M Apr 22 11:22 audit.log.2
-r-------- 1 root root 5.0M Apr 22 11:39 audit.log.3
drwx------ 2 root root 12K Feb 4 10:44 lost+found
4.0MI是通过自己运行auditd手动轮换的。在解决这个问题时,我想知道,当当前audit.log达到最大大小时,什么在监视这个目录,向auditd发送通知以轮换日志?我发现我认为可以这样做的唯一正在运行的进程是
root 149689 0.0 0.2 11580 2568 ? S<sl 11:43 0:00 /sbin/auditd -n
但它似乎并没有按照我认为应该的方式工作。