auditd "admin_space_left_action" EXEC <script> does not execute.

Support for security such as Firewalls and securing linux
Post Reply
bl-frankie
Posts: 2
Joined: 2021/04/19 16:30:24

auditd "admin_space_left_action" EXEC <script> does not execute.

Post by bl-frankie » 2021/04/19 17:04:51

I'm need help to configure auditd to execute a script to shutdown the Apache service once the daemon detects that the disk is below the configured "admin_space_left" value.

** /etc/audit/auditd.conf **
...
space_left = 100
space_left_action = email
admin_space_left = 50
admin_space_left_action = EXEC /opt/startup/scripts/audit_log_action.sh
disk_full_action = EXEC /opt/startup/scripts/audit_log_action.sh
...
*********

** /opt/startup/scripts/audit_log_action.sh **
#!/bin/bash

# APSC-DV-001120
# Stops apache when there is low disk space or an error in logging
logger -s "System is low on disk space - stopping Apache httpd service"
/sbin/apachectl stop
**********

I've used 'fallocate' to create files that fill the volume so that only 38M is free but auditd doesn't execute the script to stop the Apache service.

User avatar
TrevorH
Forum Moderator
Posts: 30801
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Post by TrevorH » 2021/04/19 17:44:19

/opt/startup is a non-standard location for things like that and I suspect that selinux won't like auditd trying to execute it. Does it work if you move your script to /usr/local/bin and point the config at that (for testing, you can leave it there or fix the selinux problem after)? Or if you put selinux permissive by running setenforce 0 (lasts only until reboot or setenforce 1).
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

bl-frankie
Posts: 2
Joined: 2021/04/19 16:30:24

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Post by bl-frankie » 2021/04/19 18:25:10

@TrevorH: Thanks for your reply. The script executes, however the `/sbin/apachectl stop` command isn't working.

The script permissions are 700 root:root.

User avatar
TrevorH
Forum Moderator
Posts: 30801
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: auditd "admin_space_left_action" EXEC <script> does not execute.

Post by TrevorH » 2021/04/19 18:49:15

On CentOS 7 you should be invoking systemctl stop httpd
CentOS 6 died in November 2020 - migrate to a new version!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”