Document the effects of failure to execute the max_log_file_action helper

stevegrubb · stevegrubb · commit 3e59b40c1cd4 · 2026-03-20T16:12:43.000-04:00
diff --git a/docs/auditd.conf.5 b/docs/auditd.conf.5
@@ -119,9 +119,9 @@ means that it will issue a warning to syslog.
 .IR exec
 /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action. This can be done by adding 
 .I auditdctl --signal resume
-to the script. Also note that logging is stpped which this script runs. Whatever it does needs to be real quick because events are backing up in the kernel. The script
+to the script. Also note that logging is stopped when this script runs. Whatever it does needs to be real quick because events are backing up in the kernel. The script
 .B MUST
-delete or rename /var/log/audit/audit.log or when logging resumes, it will retrigger executing the script.
+delete or rename /var/log/audit/audit.log or when logging resumes, it will retrigger executing the script. If the script fails to execute, auditing is suspended until it is told to resume by sending it a signal.
 .IR suspend
 will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The
 .IR rotate
@@ -181,7 +181,7 @@ as well as sending the message to syslog.
 .I exec
 /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action. This can be done by adding service auditd resume to the script.
 .I suspend
-will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The
+will cause the audit daemon to stop writing records to the disk. If the script fails to execute, the audit daemon will be left suspended until its told to resume by sending it a signal. The
 .I single
 option will cause the audit daemon to put the computer system in single user mode. Except for rotate, it will perform this action just one time. The previously available
 .I halt
diff --git a/src/auditd-event.c b/src/auditd-event.c
@@ -807,6 +807,9 @@ static void check_log_file_size(void)
 				logging_suspended = 1;
 				exec_child_pid =
 					safe_exec(config->max_log_file_exe);
+				if (exec_child_pid < 1)
+					audit_msg(LOG_ALERT,
+  "Audit daemon failed to exec max_log_file_action helper - logging suspended");
 				break;
 			case SZ_SUSPEND:
 				audit_msg(LOG_ERR,
