Home > Common Criteria, Mac administration, Mac OS X Server, OpenBSM > Clearing old Common Criteria audit logs.

Clearing old Common Criteria audit logs.

One of the software packages that Apple makes available on its website is Apple’s Common Criteria Tools. This package is based off of Sun Microsystem’s Basic Security Module (BSM) auditing software and is a tool for creating an extremely detailed audit trail for all processes on the system. The level of auditing produced is at the level required by systems attempting to achieve the DoD “C2” level certification. The good side is that, by default, you get extensive information on *every* process and action that your system has running. The down side is that we’re obviously talking about enormous amounts of data being logged here, with large 100MB+ log files being common. I’ve found that BSM can generate truly enormous files, where log files can grow into gigabyte sizes, when you’re using them in conjunction with Retrospect. (To clarify, I’m getting the enormous gig-sized logs on servers where I’m running Retrospect to backup other machines; just having the Retrospect network backup client on your system will not cause BSM’s log files to get larger than normal.)

Since I need to run the auditing tools, but at the same time I need to conserve space on the servers, I wrote this script (based off another person’s script I found online; sadly, I can’t find the link to the original script) to clear logs older than 10 days old and put the script into /etc/periodic/daily, so that it would kick off with the daily maintenance scripts.

# Delete old log files
find $AUDIT_DIR/* -type f -mtime +$AUDIT_EXPIRE -exec rm -f {} \;

You can set the script to keep your audit logs longer by changing the value of the AUDIT_EXPIRE variable.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: