auditd "admin_space_left_action" EXEC <script> does not execute.

Support for security such as Firewalls and securing linux
Post Reply
bl-frankie
Posts: 2
Joined: 2021/04/19 16:30:24

auditd "admin_space_left_action" EXEC <script> does not execute.

Post by bl-frankie » 2021/04/19 17:04:51

I'm need help to configure auditd to execute a script to shutdown the Apache service once the daemon detects that the disk is below the configured "admin_space_left" value.

** /etc/audit/auditd.conf **
...
space_left = 100
space_left_action = email
admin_space_left = 50
admin_space_left_action = EXEC /opt/startup/scripts/audit_log_action.sh
disk_full_action = EXEC /opt/startup/scripts/audit_log_action.sh
...
*********

** /opt/startup/scripts/audit_log_action.sh **
#!/bin/bash

# APSC-DV-001120
# Stops apache when there is low disk space or an error in logging
logger -s "System is low on disk space - stopping Apache httpd service"
/sbin/apachectl stop
**********

I've used 'fallocate' to create files that fill the volume so that only 38M is free but auditd doesn't execute the script to stop the Apache service.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Post by TrevorH » 2021/04/19 17:44:19

/opt/startup is a non-standard location for things like that and I suspect that selinux won't like auditd trying to execute it. Does it work if you move your script to /usr/local/bin and point the config at that (for testing, you can leave it there or fix the selinux problem after)? Or if you put selinux permissive by running setenforce 0 (lasts only until reboot or setenforce 1).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

bl-frankie
Posts: 2
Joined: 2021/04/19 16:30:24

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Post by bl-frankie » 2021/04/19 18:25:10

@TrevorH: Thanks for your reply. The script executes, however the `/sbin/apachectl stop` command isn't working.

The script permissions are 700 root:root.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Post by TrevorH » 2021/04/19 18:49:15

On CentOS 7 you should be invoking systemctl stop httpd
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply