Steve,
Please find a patch against 2.3.6 that, when checkpointing, ausearch
will only use the recorded event time in the checkpoint file when
deciding what complete events to display. Basically, it will display all
complete events found after the event time found in the checkpoint file.
Normally, one would use checkpointing in a periodic script that records
all 'new' audit events. Should certain errors occur, we need to recover
and continue to record 'new' audit events. This option allows use to do
a 'brute force' recovery by finding all events since the last recorded
time we have in the checkpoint file.
For example, the core of a periodic script may contain
ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
_aus=$?
if test ${_aus} -eq 10 -o ${_aus} -eq 11 -o ${_aus} -eq 12
then
ausearch --checkpoint /usr/security/auditd_checkpoint.txt \
--checkpoint-time-only -i
fi
Rgds
On Mon, 2014-04-14 at 20:11 -0400, Steve Grubb wrote:
> On Sunday, April 13, 2014 11:51:45 AM Burn Alting wrote:
> > A patch is attached that addresses this.
> >
> > Essentially the modification
> > - notices if we identify an audit.log file to use but we do not find the
> > recorded audit event in that log file and so report an error (to stderr)
> > and return a new exit code (12)
> > - allows checkpointing to only use the recorded time from the checkpoint
> > file for comparisons.
>
> I'd like to look at these two pieces separately. Let's have 1 bug/feature per
> patch. This way if something looks good, it can be applied immediately.
> Whereas if something needs more discussion, it would block application of the
> part that is good.
>
>
> > You will note that the patch also contains changes to swig/audit.py.
> > Although this file is automatically generated, it is part of the 2.3.6
> > release ... should it be?
>
> I suppose it should be. What is in the release is decided by
> automake/autoconf. If there are any mistakes in the Makefile.am file, I would
> take a patch.
>
>
> > I also note that a lot of Makefile.in's are also part of the release. Again,
> > should these automatically generated files be part of the release?
>
> The audit package release is done by a script that pretty much does the
> following (its way more complicated than this, but this is the essential
> pieces):
>
> mkdir audit
> cd audit
> svn co http://svn.fedorahosted.org/svn/audit/trunk .
> ./autogen.sh
> ./configure
> make -j 8 distcheck
>
> If it finishes saying it created the tar ball, I send it to rawhide to make
> sure it builds on a current OS. If that is also successful, then I push it to
> my people page and then commit a branch in svn. I also run the development
> audit package on all my systems during the whole development cycle to make
> sure bugs are fixed, nothing new shows up, and its builds under normal
> conditions.
>
> So, anything that is there, is because autotools think it should be there
> unless I made a mistake in a Makefile.am. :-) Patches are welcome.
>
> Thanks,
> -Steve
diff -Npru audit-2.3.6/docs/ausearch.8 audit-2.3.6_checkpt_2/docs/ausearch.8
--- audit-2.3.6/docs/ausearch.8 2014-04-12 05:49:28.000000000 +1000
+++ audit-2.3.6_checkpt_2/docs/ausearch.8 2014-04-18 12:27:44.403810759 +1000
@@ -50,6 +50,25 @@ Should the file or checkpointed complete
will terminate.
.TP
+.BR \-\-checkpoint-time-only
+When checkpointing, this option will only rely upon the checkpoint files'
+timestamp for comparison. Thus it will ignore inode, device, serial, node and
+event type.
+
+Essentailly, this is the recovery action should an \fIausearch\fP with a checkpoint fail with an
+exit status of 10, 11 or 12. An appropriate script extract might look like
+.sp
+.nf
+.na
+ ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
+ _au_status=$?
+ if test ${_au_status} -eq 10 -o ${_au_status} -eq 11 -o ${_au_status} -eq 12
+ then
+ ausearch --checkpoint /usr/security/auditd_checkpoint.txt --checkpoint-time-only -i
+ fi
+.ad
+.fi
+.TP
.BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP
Search for an event based on the given syscall \fIexit code or errno\fP.
.TP
diff -Npru audit-2.3.6/src/ausearch.c audit-2.3.6_checkpt_2/src/ausearch.c
--- audit-2.3.6/src/ausearch.c 2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpt_2/src/ausearch.c 2014-04-18 11:48:22.459305753 +1000
@@ -236,8 +236,15 @@ static int process_logs(void)
*/
if ( (sbuf.st_dev == chkpt_input_dev) &&
(sbuf.st_ino == chkpt_input_ino) ) {
- found_chkpt_file = num++;
- break;
+
+ /*
+ * If we are only using the checkpoint file's time, then
+ * we always want to find the 'oldest' file. Thus we only break if we are NOT using the checkpoint files time only.
+ */
+ if (!((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
+ found_chkpt_file = num++;
+ break;
+ }
}
}
@@ -245,8 +252,10 @@ static int process_logs(void)
snprintf(filename, len, "%s.%d", config.log_file, num);
} while (1);
- /* If a checkpoint is loaded but can't find it's file, error */
- if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1) {
+ /* If a checkpoint is loaded but can't find it's file, and
+ * we are not only checking time, we need to error */
+ if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1
+ && !((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
free(filename);
free_config(&config);
return 10;
@@ -329,6 +338,25 @@ static int chkpt_output_decision(event *
return 1; /* can output on this event */
}
+ /*
+ * If we are ignoring all but event time, then we output if the current
+ * event's time is greater than or equal to the checkpoint time.
+ */
+ if ((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY) {
+ if (
+ (chkpt_input_levent.sec < e->sec)
+ ||
+ (
+ (chkpt_input_levent.sec == e->sec)
+ &&
+ (chkpt_input_levent.milli <= e->milli)
+ )
+ ) {
+ can_output = 1;
+ return 1; /* can output on this event */
+ }
+ }
+
if ( chkpt_input_levent.sec == e->sec &&
chkpt_input_levent.milli == e->milli &&
chkpt_input_levent.serial == e->serial &&
diff -Npru audit-2.3.6/src/ausearch-options.c audit-2.3.6_checkpt_2/src/ausearch-options.c
--- audit-2.3.6/src/ausearch-options.c 2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpt_2/src/ausearch-options.c 2014-04-18 11:53:20.588181948 +1000
@@ -72,6 +72,11 @@ ilist *event_type;
slist *event_node_list = NULL;
+/*
+ * Bitmap for command line options. See ausearch-options.h for values.
+ */
+unsigned control_options = 0x0;
+
struct nv_pair {
int value;
const char *name;
@@ -83,7 +88,8 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG
S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
-S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
+S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH,
+S_CHECKPOINT_TIME_ONLY };
static struct nv_pair optiontab[] = {
{ S_EVENT, "-a" },
@@ -92,6 +98,7 @@ static struct nv_pair optiontab[] = {
{ S_COMM, "-c" },
{ S_COMM, "--comm" },
{ S_CHECKPOINT, "--checkpoint" },
+ { S_CHECKPOINT_TIME_ONLY, "--checkpoint-time-only" },
{ S_DEBUG, "--debug" },
{ S_EXIT, "-e" },
{ S_EXIT, "--exit" },
@@ -183,6 +190,7 @@ static void usage(void)
"\t--arch <CPU>\t\t\tsearch based on the CPU architecture\n"
"\t-c,--comm <Comm name>\t\tsearch based on command line name\n"
"\t--checkpoint <checkpoint file>\tsearch from last complete event\n"
+ "\t--checkpoint-time-only\tuse only checkpoint time for comparisions when deciding to display output\n"
"\t--debug\t\t\tWrite malformed events that are skipped to stderr\n"
"\t-e,--exit <Exit code or errno>\tsearch based on syscall exit code\n"
"\t-f,--file <File name>\t\tsearch based on file name\n"
@@ -1154,6 +1162,9 @@ int check_params(int count, char *vars[]
}
c++;
break;
+ case S_CHECKPOINT_TIME_ONLY:
+ control_options |= OPT_CHKPT_TIME_ONLY;
+ break;
default:
fprintf(stderr, "%s is an unsupported option\n",
vars[c]);
diff -Npru audit-2.3.6/src/ausearch-options.h audit-2.3.6_checkpt_2/src/ausearch-options.h
--- audit-2.3.6/src/ausearch-options.h 2014-04-12 05:49:25.000000000 +1000
+++ audit-2.3.6_checkpt_2/src/ausearch-options.h 2014-04-18 11:50:02.746403340 +1000
@@ -47,5 +47,15 @@ extern report_t report_format;
/* Function to process commandline options */
extern int check_params(int count, char *vars[]);
+/*
+ * Bitmap for command line options
+ */
+extern unsigned control_options;
+
+/*
+ * Flags for control_options
+ */
+#define OPT_CHKPT_TIME_ONLY 0x0001 /* when checkpointing, only use event time for comparisons */
+
#endif
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
