Date: Sun, 27 Mar 2005 01:58:59 GMT From: Wayne Salamon <wsalamon@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 73905 for review Message-ID: <200503270158.j2R1wxwe004032@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=73905 Change 73905 by wsalamon@rickenbacker on 2005/03/27 01:58:31 Add a new trigger for the hard limit on disk space. 'Hard' means there are very few blocks left, and the audit daemon needs to take action. I am staging this change in two pieces: First the basics, not tested yet. Next, possible have the kernel suspend auditing when the hard limit is reached. Affected files ... .. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#9 edit .. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#11 edit .. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#18 edit Differences ... ==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#9 (text+ko) ==== @@ -471,17 +471,16 @@ syslog(LOG_ERR, "Error swapping audit file\n"); } - /* - * check if the next dir has already reached its - * soft limit - */ - dirent = TAILQ_FIRST(&dir_q); - if(dirent->softlim == 1) { - /* all dirs have reached their soft limit */ - audit_warn_allsoft(); - } + /* + * check if the next dir has already reached its + * soft limit + */ + dirent = TAILQ_FIRST(&dir_q); + if(dirent->softlim == 1) { + /* all dirs have reached their soft limit */ + audit_warn_allsoft(); } - else { + } else { /* * Continue auditing to the current file * Also generate an allsoft warning @@ -491,13 +490,29 @@ } break; + case AUDITD_TRIGGER_NO_SPACE: + syslog(LOG_INFO, "Got no space trigger\n"); + + /* delete current dir, go on to next */ + TAILQ_REMOVE(&dir_q, dirent, dirs); + audit_warn_hard(dirent->dirname); + free(dirent->dirname); + free(dirent); + + if(swap_audit_file() == -1) + syslog(LOG_ERR, "Error swapping audit file\n"); + + /* We are out of log directories */ + audit_warn_allhard(++allhardcount); + + break; + case AUDITD_TRIGGER_OPEN_NEW : syslog(LOG_INFO, "Got open new trigger\n"); /* create a new file and swap with the one being * used in kernel */ - if(swap_audit_file() == -1) { + if(swap_audit_file() == -1) syslog(LOG_ERR, "Error swapping audit file\n"); - } break; case AUDITD_TRIGGER_READ_FILE : ==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#11 (text+ko) ==== @@ -44,6 +44,11 @@ */ #define AUDITD_TRIGGER_FILE "/dev/audit" +/* + * Minimum noumber of free blocks on the filesystem containing the audit + * log necessary to avoid a hard log rotation. + */ +#define AUDIT_HARD_LIMIT_FREE_BLOCKS 16 /* * Triggers for the audit daemon */ @@ -51,6 +56,7 @@ #define AUDITD_TRIGGER_OPEN_NEW 2 #define AUDITD_TRIGGER_READ_FILE 3 #define AUDITD_TRIGGER_CLOSE_AND_DIE 4 +#define AUDITD_TRIGGER_NO_SPACE 5 /* * Pre-defined audit IDs ==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#18 (text+ko) ==== @@ -323,7 +323,6 @@ struct ucred *cred, struct thread *td) { int ret; - int trigger; long temp; struct au_record *bsm; struct vattr vattr; @@ -357,24 +356,34 @@ */ /* - * If we fall below percent free blocks, then trigger the - * audit daemon to do something about it. + * If we fall below minimum free blocks (hard limit), tell the audit + * daemon to force a rotation off of the file system. If we fall + * below the minimum percent free blocks (soft limit), then kindly + * suggest to the audit daemon to do something. */ - if (audit_qctrl.aq_minfree != 0) { - temp = mnt_stat->f_blocks / (100 / audit_qctrl.aq_minfree); - if (mnt_stat->f_bfree < temp) { - trigger = AUDITD_TRIGGER_LOW_SPACE; - ret = send_trigger(AUDITD_TRIGGER_LOW_SPACE); - if (ret != 0) { - printf( - "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret); + if (mnt_stat->f_bfree < AUDIT_HARD_LIMIT_FREE_BLOCKS) { + ret = send_trigger(AUDITD_TRIGGER_NO_SPACE); + if (ret != 0) { + printf( + "Failed audit_triggers(AUDIT_TRIGGER_NO_SPACE): %d\n", ret); /* * XXX: What to do here? Disable auditing? * panic? */ + } + } else + if (audit_qctrl.aq_minfree != 0) { + temp = mnt_stat->f_blocks / (100 / + audit_qctrl.aq_minfree); + if (mnt_stat->f_bfree < temp) { + ret = send_trigger(AUDITD_TRIGGER_LOW_SPACE); + if (ret != 0) { + printf( + "Failed audit_triggers(AUDIT_TRIGGER_LOW_SPACE): %d\n", ret); + } } } - } + /* Check if the current log file is full; if so, call for * a log rotate. This is not an exact comparison; we may * write some records over the limit. If that's not @@ -384,7 +393,6 @@ (audit_file_rotate_wait == 0) && (vattr.va_size >= audit_fstat.af_filesz)) { audit_file_rotate_wait = 1; - trigger = AUDITD_TRIGGER_OPEN_NEW; ret = send_trigger(AUDITD_TRIGGER_OPEN_NEW); if (ret != 0) { printf(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200503270158.j2R1wxwe004032>