PERFORCE change 63747 for review

Mon Oct 25 21:21:33 GMT 2004

http://perforce.freebsd.org/chv.cgi?CH=63747

Change 63747 by wsalamon at wsalamon_epi on 2004/10/25 21:21:11

	Fix some of the audit log rotation issues. First, have the kernel send
	the correct command to auditd to rotate the files. Second, have auditd
	NOT skip to the next entry in the audit directory list with the rotate
	command. There's still an issue of timeouts: auditd waits a period of
	time between rotations (30s), and the kernel waits for an indication
	from auditd that the rotation has taken place. Result is that if
	two rotations are justified within that 30s period, no rotation will
	take place until auditd is restarted.

Affected files ...

.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#6 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#6 edit
.. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#7 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#11 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#6 (text+ko) ====

@@ -8,9 +8,9 @@
 
 all: audit_warn auditd
 audit_warn: audit_warn.c
-	$(CC) -c audit_warn.c -o audit_warn.o
+	$(CC) $(CFLAGS) -c audit_warn.c -o audit_warn.o
 auditd: auditd.c
-	$(CC) -lbsm auditd.c audit_warn.o -o auditd
+	$(CC) $(CFLAGS) -lbsm auditd.c audit_warn.o -o auditd
 
 install:
 	install -d /usr/share/man/man8

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#6 (text+ko) ====

@@ -178,6 +178,8 @@
 	/* try until we succeed */
 	while((dirent = TAILQ_FIRST(&dir_q))) {
 		if((fn = affixdir(timestr, dirent)) == NULL) {
+			syslog(LOG_INFO, "Failed to swap log  at time %s\n", 
+				timestr);
 			return -1;
 		}
 
@@ -198,7 +200,7 @@
 			return 0;
 		}
 
-		/* Tell the administrator about lack of permissions for dirent */ 
+		/* Tell the administrator about lack of permissions for dir */ 
 		audit_warn_getacdir(dirent->dirname);
 
 		/* Try again with a different directory */
@@ -206,6 +208,7 @@
 		free(dirent->dirname);
 		free(dirent);
 	}
+	syslog(LOG_INFO, "Log directories exhausted\n");
 	return -1;
 }
 
@@ -435,23 +438,25 @@
 
 	if(gettimeofday(&ts, &tzp) == 0) {
 		tt = (time_t)ts.tv_sec;
-		if ((flags == last_flags) && (tt < (last_time + DUPLICATE_INTERVAL))) {
+		if ((flags == last_flags) && 
+		    (tt < (last_time + DUPLICATE_INTERVAL))) {
 			return 0;
 		}
 		last_flags = flags;
 		last_time = tt;
 	}
 
-		syslog(LOG_INFO, 
-		  "handle_audit_trigger() called within auditd with flags = %d\n",
+	syslog(LOG_INFO, 
+	  "handle_audit_trigger() called within auditd with flags = %d\n",
 			flags);
 	/* 
-	 * XXX Message processing is done here 
+	 * Message processing is done here 
  	 */
 	dirent = TAILQ_FIRST(&dir_q); 
 	switch(flags) {
 
 	case AUDITD_TRIGGER_LOW_SPACE:
+		syslog(LOG_INFO, "Got low space trigger\n");
 		if(dirent && (dirent->softlim != 1)) {
 			TAILQ_REMOVE(&dir_q, dirent, dirs);
 				/* add this node to the end of the list */
@@ -459,7 +464,8 @@
 				audit_warn_soft(dirent->dirname);
 				dirent->softlim = 1;
 						
-			if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && swap_audit_file() == -1) {
+			if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && 
+			    swap_audit_file() == -1) {
 				syslog(LOG_ERR, "Error swapping audit file\n");
 			}
 
@@ -482,23 +488,9 @@
 			audit_warn_allsoft();
 		}
 		break;
-	case AUDITD_TRIGGER_FILE_FULL:
 
-		/* delete current dir, go on to next */
-		TAILQ_REMOVE(&dir_q, dirent, dirs);
-        	audit_warn_hard(dirent->dirname);
-        	free(dirent->dirname);
-        	free(dirent);
-
-		if(swap_audit_file() == -1) {
-			syslog(LOG_ERR, "Error swapping audit file in "
-		 	    "response to AUDITD_TRIGGER_FILE_FULL message\n");	
-	
-			/* Nowhere to write to */
-			audit_warn_allhard(++allhardcount);
-		}
-		break;
 	case AUDITD_TRIGGER_OPEN_NEW :
+		syslog(LOG_INFO, "Got open new trigger\n");
 		/* create a new file and swap with the one being 
 		 * used in kernel */
 		if(swap_audit_file() == -1) {
@@ -507,12 +499,14 @@
 		break;
 
 	case AUDITD_TRIGGER_READ_FILE :
+		syslog(LOG_INFO, "Got read file trigger\n");
 		if(read_control_file() == -1) {
 			syslog(LOG_ERR, "Error in audit control file\n");				
 		}
 		break;
 
 	case AUDITD_TRIGGER_CLOSE_AND_DIE : 
+		syslog(LOG_INFO, "Got close and die trigger\n");
 		rc = close_all();
 		exit (rc);
 		break;

==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#7 (text+ko) ====

@@ -45,10 +45,9 @@
  * Triggers for the audit daemon
  */
 #define AUDITD_TRIGGER_LOW_SPACE	1
-#define AUDITD_TRIGGER_FILE_FULL	2
-#define AUDITD_TRIGGER_OPEN_NEW 	3
-#define AUDITD_TRIGGER_READ_FILE 	4
-#define AUDITD_TRIGGER_CLOSE_AND_DIE 	5
+#define AUDITD_TRIGGER_OPEN_NEW 	2
+#define AUDITD_TRIGGER_READ_FILE 	3
+#define AUDITD_TRIGGER_CLOSE_AND_DIE 	4
 
 /*
  * Pre-defined audit IDs

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#11 (text+ko) ====

@@ -285,14 +285,14 @@
 		    (audit_file_rotate_wait == 0) && 
 		    (vattr.va_size >= audit_fstat.af_filesz)) {
 			audit_file_rotate_wait = 1;
-			trigger = AUDITD_TRIGGER_FILE_FULL;
+			trigger = AUDITD_TRIGGER_OPEN_NEW;
 			ret = vn_rdwr(UIO_WRITE, auditd_ctl_vp, 
 			    (void *)&trigger, sizeof(trigger), 
 			    (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, 
 		 	    cred, NULL, NULL, td);
 			if (ret != 0) {
 				printf(
-    "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
+    "Failed audit_triggers(AUDITD_TRIGGER_OPEN_NEW): %d\n", ret);
 			/* XXX what to do here? */
 			}
 		}
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

