From: Steve Grubb <sgrubb@redhat.com>
To: burn@swtf.dyndns.org
Cc: linux-audit@redhat.com
Subject: Re: ausearch checkpoint capability
Date: Mon, 18 Aug 2014 14:13:57 -0400 [thread overview]
Message-ID: <26086601.oGHCGWl4C5@x2> (raw)
In-Reply-To: <1408145116.1503.53.camel@swtf.swtf.dyndns.org>
Hello,
On Saturday, August 16, 2014 09:25:16 AM Burn Alting wrote:
> One of the issues with ausearch's checkpoint code is how to recover from
> failures. A classic failure is to perform a checkpoint on a busy system
> and then delay too long before running the next invocation of ausearch
> and as a result of the delay, the checkpointed event cannot be found in
> the files in /var/log/audit. There are other failures, such as re-use of
> inodes etc.
>
> For those of you who haven't noted the ausearch --checkpoint change, it
> basically records the details of the last complete audit event it
> processed or printed in a checkpoint file. It records not only the event
> time, but also the event node, serial, type and the file device and
> inode. Thus, when you next invoke ausearch with this option, the next
> event to process is the next complete event since the one recorded.
>
> Should an error occur when attempting to find the next complete event to
> process, ausearch will exit. At this point, I believe the best recovery
> action is to extract only the event time from the checkpoint file and
> ask for all complete events after that time (i.e. as opposed to the
> usual action of comparing time, event id, type, log file details etc).
Would anyone be opposed to making that the default behavior?
> There are at last two solutions:
> a. We can patch ausearch to take a --checkpoint-time-only flag which
> means ausearch will look for all events since the time in the checkpoint
> file. This provides the best granularity in time as it goes down to
> msecs.
I am worried about the proliferation of command line switches. I'd rather make
a new --start target. e.g. --start checkpoint-time.
> b. We extract the timestamp from the checkpoint file, convert it to a
> date and time and use ausearch's --start option to find all events since
> the time in the checkpoint file.
>
> The first provides greater granularity in time as it goes to msecs.
If one is the timestamp of the file, that might be misleading. I don't know if
touching a file is an auditable event. No time to investigate right now either.
I'd rather see the time taken from within the file.
> I can provide a patch. Do you want it?
Sure, if its based on a --start target.
-Steve
next prev parent reply other threads:[~2014-08-18 18:13 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-15 23:25 ausearch checkpoint capability Burn Alting
2014-08-18 18:13 ` Steve Grubb [this message]
2014-08-18 21:49 ` Burn Alting
2014-08-18 21:59 ` Steve Grubb
2014-08-18 22:29 ` Joe Wulf
2014-08-20 8:18 ` Burn Alting
2014-08-20 16:57 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=26086601.oGHCGWl4C5@x2 \
--to=sgrubb@redhat.com \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.