Der Flounder

One of the software packages that Apple makes available on its website is Apple’s Common Criteria Tools. This package is based off of Sun Microsystem’s Basic Security Module (BSM) auditing software and is a tool for creating an extremely detailed audit trail for all processes on the system. The level of auditing produced is at the level required by systems attempting to achieve the DoD “C2″ level certification. The good side is that, by default, you get extensive information on *every* process and action that your system has running. The down side is that we’re obviously talking about enormous amounts of data being logged here, with large 100MB+ log files being common. I’ve found that BSM can generate truly enormous files, where log files can grow into gigabyte sizes, when you’re using them in conjunction with Retrospect. (To clarify, I’m getting the enormous gig-sized logs on servers where I’m running Retrospect to backup other machines; just having the Retrospect network backup client on your system will not cause BSM’s log files to get larger than normal.)

Since I need to run the auditing tools, but at the same time I need to conserve space on the servers, I wrote this script (based off another person’s script I found online; sadly, I can’t find the link to the original script) to clear logs older than 10 days old and put the script into /etc/periodic/daily, so that it would kick off with the daily maintenance scripts.

#!/bin/sh
AUDIT_EXPIRE=10
AUDIT_DIR=/var/audit
# Delete old log files
find $AUDIT_DIR/* -type f -mtime +$AUDIT_EXPIRE -exec rm -f {} \;

You can set the script to keep your audit logs longer by changing the value of the AUDIT_EXPIRE variable.