PERFORCE change 73905 for review

Wayne Salamon wsalamon at FreeBSD.org
Sun Mar 27 01:58:59 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=73905

Change 73905 by wsalamon at rickenbacker on 2005/03/27 01:58:31

	Add a new trigger for the hard limit on disk space. 'Hard' means there
	are very few blocks left, and the audit daemon needs to take action.
	I am staging this change in two pieces: First the basics, not tested
	yet. Next, possible have the kernel suspend auditing when the hard
	limit is reached.

Affected files ...

.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#9 edit
.. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#11 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#18 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#9 (text+ko) ====

@@ -471,17 +471,16 @@
 				syslog(LOG_ERR, "Error swapping audit file\n");
 			}
 
-				/* 
-				 * check if the next dir has already reached its 
-				 * soft limit
-				 */
-				dirent = TAILQ_FIRST(&dir_q);
-				if(dirent->softlim == 1)  {
-					/* all dirs have reached their soft limit */
-					audit_warn_allsoft();
-				}
+			/* 
+			 * check if the next dir has already reached its 
+			 * soft limit
+			 */
+			dirent = TAILQ_FIRST(&dir_q);
+			if(dirent->softlim == 1)  {
+				/* all dirs have reached their soft limit */
+				audit_warn_allsoft();
 			}
-		else {
+		} else {
 			/* 
 			 * Continue auditing to the current file
 			 * Also generate  an allsoft warning
@@ -491,13 +490,29 @@
 		}
 		break;
 
+	case AUDITD_TRIGGER_NO_SPACE:
+		syslog(LOG_INFO, "Got no space trigger\n");
+
+		/* delete current dir, go on to next */
+		TAILQ_REMOVE(&dir_q, dirent, dirs);
+		audit_warn_hard(dirent->dirname);
+		free(dirent->dirname);
+		free(dirent);
+
+		if(swap_audit_file() == -1)
+			syslog(LOG_ERR, "Error swapping audit file\n");	
+
+		/* We are out of log directories */
+		audit_warn_allhard(++allhardcount);
+		
+		break;
+
 	case AUDITD_TRIGGER_OPEN_NEW :
 		syslog(LOG_INFO, "Got open new trigger\n");
 		/* create a new file and swap with the one being 
 		 * used in kernel */
-		if(swap_audit_file() == -1) {
+		if(swap_audit_file() == -1)
 			syslog(LOG_ERR, "Error swapping audit file\n");	
-		}
 		break;
 
 	case AUDITD_TRIGGER_READ_FILE :

==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#11 (text+ko) ====

@@ -44,6 +44,11 @@
  */
 #define AUDITD_TRIGGER_FILE	"/dev/audit"
 
+/*
+ * Minimum noumber of free blocks on the filesystem containing the audit
+ * log necessary to avoid a hard log rotation.
+ */
+#define AUDIT_HARD_LIMIT_FREE_BLOCKS	16
 /* 
  * Triggers for the audit daemon
  */
@@ -51,6 +56,7 @@
 #define AUDITD_TRIGGER_OPEN_NEW 	2
 #define AUDITD_TRIGGER_READ_FILE 	3
 #define AUDITD_TRIGGER_CLOSE_AND_DIE 	4
+#define AUDITD_TRIGGER_NO_SPACE		5
 
 /*
  * Pre-defined audit IDs

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#18 (text+ko) ====

@@ -323,7 +323,6 @@
     struct ucred *cred, struct thread *td)
 {
 	int ret;
-	int trigger;
 	long temp;
 	struct au_record *bsm;
 	struct vattr vattr;
@@ -357,24 +356,34 @@
 	 */
 
 	/* 
-	 * If we fall below percent free blocks, then trigger the
-	 * audit daemon to do something about it.
+	 * If we fall below minimum free blocks (hard limit), tell the audit
+	 * daemon to force a rotation off of the file system. If we fall 
+	 * below the minimum percent free blocks (soft limit), then kindly 
+	 * suggest to the audit daemon to do something.
 	 */
-	if (audit_qctrl.aq_minfree != 0) {
-		temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree);
-		if (mnt_stat->f_bfree < temp) {
-			trigger = AUDITD_TRIGGER_LOW_SPACE;
-			ret = send_trigger(AUDITD_TRIGGER_LOW_SPACE);
-			if (ret != 0) {
-				printf(
-    "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
+	if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) {
+		ret = send_trigger(AUDITD_TRIGGER_NO_SPACE);
+		if (ret != 0) {
+			printf(
+    "Failed audit_triggers(AUDIT_TRIGGER_NO_SPACE): %d\n", ret);
 			/*
 			 * XXX: What to do here? Disable auditing?
 			 * panic?
 			 */
+		}
+	} else
+		if (audit_qctrl.aq_minfree != 0) {
+			temp = mnt_stat->f_blocks / (100 / 
+			    audit_qctrl.aq_minfree);
+			if (mnt_stat->f_bfree < temp) {
+				ret = send_trigger(AUDITD_TRIGGER_LOW_SPACE);
+				if (ret != 0) {
+					printf(
+    "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret);
+				}
 			}
 		}
-	}
+
 	/* Check if the current log file is full; if so, call for
 	 * a log rotate. This is not an exact comparison; we may
 	 * write some records over the limit. If that's not
@@ -384,7 +393,6 @@
 	    (audit_file_rotate_wait == 0) && 
 	    (vattr.va_size >= audit_fstat.af_filesz)) {
 		audit_file_rotate_wait = 1;
-		trigger = AUDITD_TRIGGER_OPEN_NEW;
 		ret = send_trigger(AUDITD_TRIGGER_OPEN_NEW);
 		if (ret != 0) {
 			printf(
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list