From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: ausearch checkpoint capability
Date: Mon, 18 Aug 2014 14:13:57 -0400 [thread overview]
Message-ID: <26086601.oGHCGWl4C5@x2> (raw)
In-Reply-To: <1408145116.1503.53.camel@swtf.swtf.dyndns.org>
Hello,
On Saturday, August 16, 2014 09:25:16 AM Burn Alting wrote:
> One of the issues with ausearch's checkpoint code is how to recover from
> failures. A classic failure is to perform a checkpoint on a busy system
> and then delay too long before running the next invocation of ausearch
> and as a result of the delay, the checkpointed event cannot be found in
> the files in /var/log/audit. There are other failures, such as re-use of
> inodes etc.
>
> For those of you who haven't noted the ausearch --checkpoint change, it
> basically records the details of the last complete audit event it
> processed or printed in a checkpoint file. It records not only the event
> time, but also the event node, serial, type and the file device and
> inode. Thus, when you next invoke ausearch with this option, the next
> event to process is the next complete event since the one recorded.
>
> Should an error occur when attempting to find the next complete event to
> process, ausearch will exit. At this point, I believe the best recovery
> action is to extract only the event time from the checkpoint file and
> ask for all complete events after that time (i.e. as opposed to the
> usual action of comparing time, event id, type, log file details etc).
Would anyone be opposed to making that the default behavior?
> There are at last two solutions:
> a. We can patch ausearch to take a --checkpoint-time-only flag which
> means ausearch will look for all events since the time in the checkpoint
> file. This provides the best granularity in time as it goes down to
> msecs.
I am worried about the proliferation of command line switches. I'd rather make
a new --start target. e.g. --start checkpoint-time.
> b. We extract the timestamp from the checkpoint file, convert it to a
> date and time and use ausearch's --start option to find all events since
> the time in the checkpoint file.
>
> The first provides greater granularity in time as it goes to msecs.
If one is the timestamp of the file, that might be misleading. I don't know if
touching a file is an auditable event. No time to investigate right now either.
I'd rather see the time taken from within the file.
> I can provide a patch. Do you want it?
Sure, if its based on a --start target.
-Steve
next prev parent reply other threads:[~2014-08-18 18:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-15 23:25 ausearch checkpoint capability Burn Alting
2014-08-18 18:13 ` Steve Grubb [this message]
2014-08-18 21:49 ` Burn Alting
2014-08-18 21:59 ` Steve Grubb
2014-08-18 22:29 ` Joe Wulf
2014-08-20 8:18 ` Burn Alting
2014-08-20 16:57 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=26086601.oGHCGWl4C5@x2 \
--to=sgrubb@redhat.com \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox