Fix audit log ACL loss by moving rotation to logrotate (development) #219
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Auditd's built-in rotation was causing CloudWatch agent to lose read access to audit logs. When auditd rotates at 50MB, it bypasses logrotate's postrotate hook that restores ACLs for the cwagent user. Changes (development environment only): - Disable auditd rotation: max_log_file_action = ignore - Switch logrotate to size-based rotation (50M) matching auditd threshold - Keep 10 rotated logs with compression This ensures the postrotate ACL restore hook runs on every rotation. Testing in development before rolling out to sandbox/production.
infrahouse8
approved these changes
Dec 26, 2025
akuzminsky
added a commit
that referenced
this pull request
Dec 26, 2025
The ACL-based approach from #215/#219 failed because auditd ignores default ACLs when creating files. When auditd recreates the log file after rotation, it sets permissions to 0600 with no ACLs, blocking CloudWatch agent access. Solution: Use standard Unix group permissions instead of ACLs. - Set auditd log_group to 'adm' (cwagent is already in adm group) - Logrotate creates files with group 'adm' - Remove ACL scripts and related resources This is simpler and more reliable than ACLs since auditd respects log_group when creating files. Testing in development before rolling out to other environments.
6 tasks
akuzminsky
added a commit
that referenced
this pull request
Dec 26, 2025
The ACL-based approach from #215/#219 failed because auditd ignores default ACLs when creating files. When auditd recreates the log file after rotation, it sets permissions to 0600 with no ACLs, blocking CloudWatch agent access. Solution: Use standard Unix group permissions instead of ACLs. - Set auditd log_group to 'adm' (cwagent is already in adm group) - Logrotate creates files with group 'adm' - Remove ACL scripts and related resources This is simpler and more reliable than ACLs since auditd respects log_group when creating files. Testing in development before rolling out to other environments.
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Problem
CloudWatch agent was losing access to
/var/log/audit/audit.logafter rotation.Auditd was rotating logs internally (every 50MB), which bypassed logrotate's
postrotate hook that restores ACLs. The fix in #215 only worked for logrotate-
triggered rotations, not auditd's own rotations.
Test plan
After the pr is merged:
max_log_file_action = ignoresize 50Mlogrotate -f /etc/logrotate.d/audit)