auditd - hostname in trail file name patch
Robert Watson
rwatson at FreeBSD.org
Sat Nov 25 11:46:12 UTC 2006
On Tue, 14 Nov 2006, Martin Voros wrote:
> Robert Watson <rwatson at FreeBSD.org> wrote:
> On Thu, 26 Oct 2006, Martin Voros wrote:
>
>> I've prepared another patch which put hostname in trail file name (another
>> point from TODO list). Format is timestamp.timestamp.hostname or
>> timestamp.not_terminated.hostname
>>
>> Again of course all comments are welcome.
>
> Having now returned from EuroBSDCon, I'm trying to catch up on e-mail. My
> suggestion here would be to switch to using asprintf() to de-complicate the
> buffer length calculation, which otherwise is probably the riskiest part of
> the change.
>
> I've prepared new patch, which use asprintf instead of strcat and malloc.
Martin,
Again, a rather long delay -- sorry about that! Thanks for the revised patch.
I've run into a problem with it, however -- if the hostname changes between
when auditd opens a trail (affixdir) and when it closes if (close_lastfile),
then the filename at creation and removal differs. I think we need to
rearrange things in auditd so that close_lastfile() operates on a cached copy
of the filename, rather than attempting to reconstruct the last filename since
it can no longer be done without maintaining state. Is this something you
could investigate?
Thanks,
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the trustedbsd-audit
mailing list