On Fri, 2009-10-30 at 10:56 -0400, Steve Grubb wrote: > On Monday 26 October 2009 10:46:33 am LC Bruzenak wrote: > > On Sat, 2009-10-17 at 11:55 -0400, Steve Grubb wrote: > ... > > > > > > - If audisp-remote plugin has a queue at exit, use non-zero exit code > > > - In auditd, tell libev to stop processing a connection when idle timeout > > > - In auditd, tell libev to stop processing a connection when shutting > > > down > > > > > > This release fixes a bug introduced in the 1.7.15 release. The main > > > problem was that the idle timeout was not telling libev to stop > > > processing the associated socket when it closed an idle connection. > > > Subsequent reconnects would go into an error state and libev would > > > immediately close the new connection. This update fixes that problem. I > > > also applied a patch from trunk that checks the queue size on exit of > > > audisp-remote to decide if it was successful or not. > > > > > > Please let me know if you run across any problems with this release. > > > > Is there any indication that this event has happened being logged? > > This was a bugfix where libev was not being told that the connection was > closed > by the auditd code. The fix is right below the syslog message saying this > happened. > > -Steve
Steve, Thinking about the client network connection timeout... I am wondering if this is a serious enough condition to warrant inserting an audit event in addition to the syslog. For me it is, because sending a termination event from the client is both difficult and unreliable, and I am supposed to provide client (sender) startup/shutdown data. For me, the connection termination is a good indication, so I will probably patch mine. I wonder if it would be helpful for others as well. Thx, LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
