From mboxrd@z Thu Jan  1 00:00:00 1970
From: Burn Alting <burn@swtf.dyndns.org>
Subject: ausearch checkpoint capability
Date: Sat, 16 Aug 2014 09:25:16 +1000
Message-ID: <1408145116.1503.53.camel@swtf.swtf.dyndns.org>
Reply-To: burn@swtf.dyndns.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve,

One of the issues with ausearch's checkpoint code is how to recover from
failures. A classic failure is to perform a checkpoint on a busy system
and then delay too long before running the next invocation of ausearch
and as a result of the delay, the checkpointed event cannot be found in
the files in /var/log/audit. There are other failures, such as re-use of
inodes etc.

For those of you who haven't noted the ausearch --checkpoint change, it
basically records the details of the last complete audit event it
processed or printed in a checkpoint file. It records not only the event
time, but also the event node, serial, type and the file device and
inode. Thus, when you next invoke ausearch with this option, the next
event to process is the next complete event since the one recorded.

Should an error occur when attempting to find the next complete event to
process, ausearch will exit. At this point, I believe the best recovery
action is to extract only the event time from the checkpoint file and
ask for all complete events after that time (i.e. as opposed to the
usual action of comparing time, event id, type, log file details etc).

There are at last two solutions:
a. We can patch ausearch to take a --checkpoint-time-only flag which
means ausearch will look for all events since the time in the checkpoint
file. This provides the best granularity in time as it goes down to
msecs.
b. We extract the timestamp from the checkpoint file, convert it to a
date and time and use ausearch's --start option to find all events since
the time in the checkpoint file.

The first provides greater granularity in time as it goes to msecs.

Steve,

I can provide a patch. Do you want it?

Rgds
Burn