Steve,
Please find a patch against 2.3.7 that, when check pointing, ausearch
will only use the recorded event time in the checkpoint file when
deciding what complete events to display. Basically, it will display all
complete events found after the event time found in the checkpoint file.
Normally, one would use check pointing in a periodic script that records
all 'new' audit events. Should certain errors occur, we need to recover
and continue to record 'new' audit events. This option allows use to do
a 'brute force' recovery by finding all events since the last recorded
time we have in the checkpoint file.
For example, the core of a periodic script may contain
ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
_aus=$?
if test ${_aus} -eq 10 -o ${_aus} -eq 11 -o ${_aus} -eq 12
then
ausearch --checkpoint /usr/security/auditd_checkpoint.txt \
--checkpoint-time-only -i
fi
Rgds
On Wed, 2014-06-04 at 17:47 -0400, Steve Grubb wrote:
> Hello,
>
> I've just released a new version of the audit daemon. It can be downloaded
> from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
> soon. The ChangeLog is:
>
> - Limit number of options in a rule in libaudit
> - Auditctl cannot load rule with lots of syscalls (#1089713)
> - In ausearch, fix checkpointing when inode is reused by new log (Burn Alting)
> - Add PROCTITLE and FEATURE_CHANGE event types
>
> Normally I'd wait a little longer to do a release but a couple things made me
> want to keep this one short. The PROCTITLE event is showing up on people's
> systems now and we need to support it. The other big change is that people
> writing rules with lots of syscalls were getting an error such that the rule
> would not load. It took two fixes to get it squared away.
>
> Please let me know if you run across any problems with this release
>
> Thanks,
> -Steve
>
> --
> Linux-audit mailing list
> [email protected]
> https://www.redhat.com/mailman/listinfo/linux-audit
diff -Npru audit-2.3.7/docs/ausearch.8 audit-2.3.7-checkpoint_tonly/docs/ausearch.8
--- audit-2.3.7/docs/ausearch.8 2014-06-04 02:06:03.000000000 +1000
+++ audit-2.3.7-checkpoint_tonly/docs/ausearch.8 2014-06-09 11:18:35.368953446 +1000
@@ -47,7 +47,25 @@ complete events until it matches the che
outputting complete events.
Should the file or the last checkpointed event not be found, one of a number of errors will result and ausearch will terminate. See \fBEXIT STATUS\fP for detail.
+.TP
+.BR \-\-checkpoint-time-only
+When checkpointing, this option will only rely upon the checkpoint files'
+timestamp for comparison. Thus it will ignore inode, device, serial, node and
+event type.
+Essentailly, this is the recovery action should an \fIausearch\fP with a checkpoint fail with an
+exit status of 10, 11 or 12. An appropriate script extract might look like
+.sp
+.nf
+.na
+ ausearch --checkpoint /usr/security/auditd_checkpoint.txt -i
+ _au_status=$?
+ if test ${_au_status} -eq 10 -o ${_au_status} -eq 11 -o ${_au_status} -eq 12
+ then
+ ausearch --checkpoint /usr/security/auditd_checkpoint.txt --checkpoint-time-only -i
+ fi
+.ad
+.fi
.TP
.BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP
Search for an event based on the given syscall \fIexit code or errno\fP.
diff -Npru audit-2.3.7/src/ausearch.c audit-2.3.7-checkpoint_tonly/src/ausearch.c
--- audit-2.3.7/src/ausearch.c 2014-06-04 02:06:00.000000000 +1000
+++ audit-2.3.7-checkpoint_tonly/src/ausearch.c 2014-06-09 13:07:35.600423157 +1000
@@ -244,8 +244,16 @@ static int process_logs(void)
*/
if ( (sbuf.st_dev == chkpt_input_dev) &&
(sbuf.st_ino == chkpt_input_ino) ) {
- found_chkpt_file = num++;
- break;
+ /*
+ * If we are only using the checkpoint time, then
+ * we always want to find the 'oldest' file.
+ * Thus we only break if we are NOT using the
+ * checkpoint time only.
+ */
+ if (!((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
+ found_chkpt_file = num++;
+ break;
+ }
}
}
@@ -253,8 +261,10 @@ static int process_logs(void)
snprintf(filename, len, "%s.%d", config.log_file, num);
} while (1);
- /* If a checkpoint is loaded but can't find it's file, error */
- if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1) {
+ /* If a checkpoint is loaded but can't find it's file, and
+ * we are not checking the checkpoint time only, we need to error */
+ if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1
+ && !((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY)) {
free(filename);
free_config(&config);
return 10;
@@ -342,6 +352,25 @@ static int chkpt_output_decision(event *
return 1; /* can output on this event */
}
+ /*
+ * If we are ignoring all but event time, then we output if the current
+ * event's time is greater than or equal to the checkpoint time.
+ */
+ if ((control_options & OPT_CHKPT_TIME_ONLY) == OPT_CHKPT_TIME_ONLY) {
+ if (
+ (chkpt_input_levent.sec < e->sec)
+ ||
+ (
+ (chkpt_input_levent.sec == e->sec)
+ &&
+ (chkpt_input_levent.milli <= e->milli)
+ )
+ ) {
+ can_output = 1;
+ return 1; /* can output on this event */
+ }
+ }
+
if ( chkpt_input_levent.sec == e->sec &&
chkpt_input_levent.milli == e->milli &&
chkpt_input_levent.serial == e->serial &&
diff -Npru audit-2.3.7/src/ausearch-options.c audit-2.3.7-checkpoint_tonly/src/ausearch-options.c
--- audit-2.3.7/src/ausearch-options.c 2014-06-04 02:06:00.000000000 +1000
+++ audit-2.3.7-checkpoint_tonly/src/ausearch-options.c 2014-06-09 11:26:59.492025107 +1000
@@ -72,6 +72,11 @@ ilist *event_type;
slist *event_node_list = NULL;
+/*
+ * Bitmap for command line options. See ausearch-options.h for values.
+ */
+unsigned control_options = 0x0;
+
struct nv_pair {
int value;
const char *name;
@@ -83,7 +88,8 @@ S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAG
S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
-S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
+S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH,
+S_CHECKPOINT_TIME_ONLY };
static struct nv_pair optiontab[] = {
{ S_EVENT, "-a" },
@@ -92,6 +98,7 @@ static struct nv_pair optiontab[] = {
{ S_COMM, "-c" },
{ S_COMM, "--comm" },
{ S_CHECKPOINT, "--checkpoint" },
+ { S_CHECKPOINT_TIME_ONLY, "--checkpoint-time-only" },
{ S_DEBUG, "--debug" },
{ S_EXIT, "-e" },
{ S_EXIT, "--exit" },
@@ -183,6 +190,7 @@ static void usage(void)
"\t--arch <CPU>\t\t\tsearch based on the CPU architecture\n"
"\t-c,--comm <Comm name>\t\tsearch based on command line name\n"
"\t--checkpoint <checkpoint file>\tsearch from last complete event\n"
+ "\t--checkpoint-time-only\tuse only checkpoint time for comparisions when deciding to display output\n"
"\t--debug\t\t\tWrite malformed events that are skipped to stderr\n"
"\t-e,--exit <Exit code or errno>\tsearch based on syscall exit code\n"
"\t-f,--file <File name>\t\tsearch based on file name\n"
@@ -1154,6 +1162,9 @@ int check_params(int count, char *vars[]
}
c++;
break;
+ case S_CHECKPOINT_TIME_ONLY:
+ control_options |= OPT_CHKPT_TIME_ONLY;
+ break;
default:
fprintf(stderr, "%s is an unsupported option\n",
vars[c]);
diff -Npru audit-2.3.7/src/ausearch-options.h audit-2.3.7-checkpoint_tonly/src/ausearch-options.h
--- audit-2.3.7/src/ausearch-options.h 2014-06-04 02:06:00.000000000 +1000
+++ audit-2.3.7-checkpoint_tonly/src/ausearch-options.h 2014-06-09 11:28:10.528053456 +1000
@@ -47,5 +47,15 @@ extern report_t report_format;
/* Function to process commandline options */
extern int check_params(int count, char *vars[]);
+/*
+ * Bitmap for command line options
+ */
+extern unsigned control_options;
+
+/*
+ * Flags for control_options
+ */
+#define OPT_CHKPT_TIME_ONLY 0x0001 /* when checkpointing, only use the checkpoint event time for comparisons */
+
#endif
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
