Page 1 of 1

auditd "admin_space_left_action" EXEC <script> does not execute.

Posted: 2021/04/19 17:04:51
by bl-frankie
I'm need help to configure auditd to execute a script to shutdown the Apache service once the daemon detects that the disk is below the configured "admin_space_left" value.

** /etc/audit/auditd.conf **
...
space_left = 100
space_left_action = email
admin_space_left = 50
admin_space_left_action = EXEC /opt/startup/scripts/audit_log_action.sh
disk_full_action = EXEC /opt/startup/scripts/audit_log_action.sh
...
*********

** /opt/startup/scripts/audit_log_action.sh **
#!/bin/bash

# APSC-DV-001120
# Stops apache when there is low disk space or an error in logging
logger -s "System is low on disk space - stopping Apache httpd service"
/sbin/apachectl stop
**********

I've used 'fallocate' to create files that fill the volume so that only 38M is free but auditd doesn't execute the script to stop the Apache service.

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Posted: 2021/04/19 17:44:19
by TrevorH
/opt/startup is a non-standard location for things like that and I suspect that selinux won't like auditd trying to execute it. Does it work if you move your script to /usr/local/bin and point the config at that (for testing, you can leave it there or fix the selinux problem after)? Or if you put selinux permissive by running setenforce 0 (lasts only until reboot or setenforce 1).

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Posted: 2021/04/19 18:25:10
by bl-frankie
@TrevorH: Thanks for your reply. The script executes, however the `/sbin/apachectl stop` command isn't working.

The script permissions are 700 root:root.

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Posted: 2021/04/19 18:49:15
by TrevorH
On CentOS 7 you should be invoking systemctl stop httpd