buffer space

LC Bruzenak lenny at magitekltd.com
Mon Aug 17 17:46:03 UTC 2009 

On Mon, 2009-08-17 at 13:32 -0400, David Flatley wrote:
> >> Lenny:
> >> 
> >> I was going to move the rotated logs into /home/logs and use
> "ausearch
> >> -i -f /home/logs".
> >> 
> >> 
> >> David Flatley CISSP
> >> 
> >> 
> 
> >David,
> >
> >It won't work like that; exactly the issue I described:
> >
> >[root at slim root]# mkdir logs-test
> >[root at slim root]# cd !$
> >cd logs-test
> >[root at slim logs-test]# auditctl -m "TEST message"
> >[root at slim logs-test]# service auditd rotate
> >Rotating logs:                                             [  OK  ]
> >[root at slim logs-test]# cp /var/log/audit/audit.log.1 .
> >[root at slim logs-test]# ausearch -i -f `pwd` -m USER
> ><no matches>
> >[root at slim logs-test]# grep TEST audit.log.1
> >node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191
> >uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST
> message:
> >exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18
> res=success)'
> >
> >
> >LCB.
> 
>   UGH this is a wrench in the works...
>   I was hoping to grab all the rotated logs, process them while still
> allowing audit
> to run with no interruptions. Problem I run into is I run ausearch -i
> > /tmp/file and then
> do ausearch -i /nfs/file with auditd stopped, then compare files and
> if they are the same in 
> size then delete the /tmp/file. I do this to make sure I get the log
> in the nfs archive directory 
> and the /tmp is a backup if there is a problem. If audit is running
> there is no way the files will 
> be equal in size while processing the /var/log/audit data in two
> different intervals.

It's a problem for me too.
I was thinking about just patching the ausearch code to behave as
desired...but hoping Steve beat me to it so there was a greatly reduced
chance of bad code...
:)

As for the archive issue, what I am planning is to make a snapshot of my
current audit log directory (technically the partition on which this
lives; that's another SECSCN issue), then rsync the snapshot over to a
backup server (via crossover network connection) and finally release the
snap mount. Then I do not have to compare file sizes ... and really the
size is only one indicator of correctness. You'd probably need a
checksum activity.

LCB.

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com

More information about the Linux-audit mailing list