Change 208383 by pjd@pjd_slayer on 2012/03/22 18:01:36 Currently when we discover that trail file is greater than configured limit we send AUDIT_TRIGGER_ROTATE_KERNEL trigger to the auditd daemon once. If for some reason auditd didn't rotate trail file it will never be rotated. Change it by sending the trigger when trail file size grows by the configured limit. For example if the limit is 1MB, we will send trigger on 1MB, 2MB, 3MB, etc. This is also needed for the auditd change that will be committed soon where auditd may ignore the trigger. Affected files ... ... //depot/user/pjd/auditdistd/sys/security/audit/audit_worker.c#4 edit Differences ... ==== //depot/user/pjd/auditdistd/sys/security/audit/audit_worker.c#4 (text) ==== @@ -190,11 +190,11 @@ * to the daemon. This is only approximate, which is fine as more * records may be generated before the daemon rotates the file. */ - if ((audit_fstat.af_filesz != 0) && (audit_file_rotate_wait == 0) && - (audit_size >= audit_fstat.af_filesz)) { + if (audit_fstat.af_filesz != 0 && + audit_size >= audit_fstat.af_filesz * (audit_file_rotate_wait + 1)) { AUDIT_WORKER_LOCK_ASSERT(); - audit_file_rotate_wait = 1; + audit_file_rotate_wait++; (void)audit_send_trigger(AUDIT_TRIGGER_ROTATE_KERNEL); } Change 208444 by pjd@pjd_slayer on 2012/03/23 22:29:49 Defer trail termination if prefix is equal to suffix. This means that trail files are terminated too quickly and if the next one is terminated within the same second it will overwrite the current one. Kernel code was updated to repeat sending termination trigger. Affected files ... ... //depot/user/pjd/auditdistd/contrib/openbsm/bin/auditd/auditd.c#9 edit Differences ... ==== //depot/user/pjd/auditdistd/contrib/openbsm/bin/auditd/auditd.c#9 (text) ==== @@ -199,12 +199,31 @@ swap_audit_file(void) { int err; - char *newfile; + char *newfile, *name; char TS[TIMESTAMP_LEN + 1]; time_t tt; if (getTSstr(tt, TS, sizeof(TS)) != 0) return (-1); + /* + * If prefix and suffix are the same, it means that records are + * being produced too fast. We don't want to rename now, because + * next trail file can get the same name and once that one is + * terminated also within one second it will overwrite the current + * one. Just keep writing to the same trail and wait for the next + * trigger from the kernel. + */ + if (lastfile == NULL) { + name = NULL; + } else { + name = strrchr(lastfile, '/'); + if (name != NULL) + name++; + } + if (name != NULL && strncmp(name, TS, TIMESTAMP_LEN) == 0) { + auditd_log_debug("Not ready to terminate trail file yet."); + return (0); + } err = auditd_swap_trail(TS, &newfile, audit_review_gid, audit_warn_getacdir); if (err != ADE_NOERR) {