not sure exactly when this happened - could have been when upgrading to 4.x, but it seems like ASL is no longer removing the old asl audit and logging directories/files in the same way it used to.
For example, on one of my boxes I have this set:
My understanding of these would be that the DB alerts are cleared out after 7 days, and the file alerts are cleaned out after 3.MODSEC_CLEAN_ALERT="3"
MODSEC_DATADIR="/var/asl/data/msa"
MODSEC_AUDITDIR="/var/asl/data/audit"
ALERTS_USE_DB="yes"
ASL_DB_RETENTION="7 days"
However when looking at the audit dir, it looks like it has changed slightly from the previous:
old:
/var/asl/data/audit
new:
/var/asl/data/audit/apache
And my log directories are there from several weeks, not just the last 3 (or 7) days.
Is this a new and or known bug?# asl -v
Atomic Secured Linux, version 4.0-10.el5.art: CloudLinux 5 (SUPPORTED)
Copyright Atomicorp 2005-2014
All Rights Reserved.
Extended Version Information:
ASL_VERSION 4.0-10
APPINV_VERSION 201402101531
CLAMAV_VERSION 201405151043
GEOMAP_VERSION 201405181158
GRSEC_VERSION 0
MODSEC_VERSION 201405182059
OSSEC_VERSION 201405151252
WAF_DELAYED_VERSION 0
KERNEL_VERSION 0