* check_second_connection stopping my recovery?
@ 2009-11-18 23:01 LC Bruzenak
2009-12-01 18:10 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: LC Bruzenak @ 2009-11-18 23:01 UTC (permalink / raw)
To: Linux Audit
It appears to me as though the new connection code in auditd-listen.c
is stopping my recovery actions.
My aggregator is getting a constant stream of:
op=dup addr=192.168.10.10:43546 port=43546 res=no
I was going back through the events on disk, scooping them up and
sending them to the aggregation machine as Steve suggested a long
while back (using an ausearch then piping the results to
audisp-remote).
So it appears to me that this is now prohibited. Was this intentional?
Thx,
LCB.
--
LC (Lenny) Bruzenak
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: check_second_connection stopping my recovery?
2009-11-18 23:01 check_second_connection stopping my recovery? LC Bruzenak
@ 2009-12-01 18:10 ` Steve Grubb
2009-12-01 18:27 ` LC Bruzenak
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2009-12-01 18:10 UTC (permalink / raw)
To: linux-audit
On Wednesday 18 November 2009 06:01:10 pm LC Bruzenak wrote:
> It appears to me as though the new connection code in auditd-listen.c
> is stopping my recovery actions.
<snip>
> So it appears to me that this is now prohibited. Was this intentional?
Yes, it was. With the reconnect code its possible to DoS a server, so the
connections need to be limited. I think the best solution is to make an admin
tweakable setting that defaults to 1 and you can set it to 2. Your recovery
technique won't be needed in the long term since its planned to have a store-
and-forward model so nothing is lost and its automatically recovered on start
up.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: check_second_connection stopping my recovery?
2009-12-01 18:10 ` Steve Grubb
@ 2009-12-01 18:27 ` LC Bruzenak
0 siblings, 0 replies; 3+ messages in thread
From: LC Bruzenak @ 2009-12-01 18:27 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Tue, 2009-12-01 at 13:10 -0500, Steve Grubb wrote:
> On Wednesday 18 November 2009 06:01:10 pm LC Bruzenak wrote:
>
> Yes, it was. With the reconnect code its possible to DoS a server, so the
> connections need to be limited. I think the best solution is to make an admin
> tweakable setting that defaults to 1 and you can set it to 2. Your recovery
> technique won't be needed in the long term since its planned to have a store-
> and-forward model so nothing is lost and its automatically recovered on start
> up.
>
> -Steve
Steve,
Your call but it may not be worth adding a new setting.
I've already patched it out of my system, and if I'm the only one who
cares then I'd say don't worry about it. I am aware of a DoS attack but
all senders are locked tight so I feel mitigation is sufficient. In fact
I nearly DoS-attacked myself before restricting the recovery to at most
1 process. :)
The store-and-forward piece will be excellent. It will solve at least a
couple of issues for me: recovery and also forwarding from a DMZ machine
to an internal server which will then forward to an independent
collector.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-12-01 18:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-18 23:01 check_second_connection stopping my recovery? LC Bruzenak
2009-12-01 18:10 ` Steve Grubb
2009-12-01 18:27 ` LC Bruzenak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox