From owner-p4-projects@FreeBSD.ORG  Mon Oct 25 21:21:34 2004
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id B83C516A4D0; Mon, 25 Oct 2004 21:21:33 +0000 (GMT)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 920D316A4CE
	for <perforce@freebsd.org>; Mon, 25 Oct 2004 21:21:33 +0000 (GMT)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 775E543D1F
	for <perforce@freebsd.org>; Mon, 25 Oct 2004 21:21:33 +0000 (GMT)
	(envelope-from wsalamon@computer.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.11/8.12.11) with ESMTP id i9PLLXet042249
	for <perforce@freebsd.org>; Mon, 25 Oct 2004 21:21:33 GMT
	(envelope-from wsalamon@computer.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.11/8.12.11/Submit) id i9PLLXWT042246
	for perforce@freebsd.org; Mon, 25 Oct 2004 21:21:33 GMT
	(envelope-from wsalamon@computer.org)
Date: Mon, 25 Oct 2004 21:21:33 GMT
Message-Id: <200410252121.i9PLLXWT042246@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	wsalamon@computer.org using -f
From: Wayne Salamon <wsalamon@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 63747 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2004 21:21:34 -0000

http://perforce.freebsd.org/chv.cgi?CH=63747

Change 63747 by wsalamon@wsalamon_epi on 2004/10/25 21:21:11

	Fix some of the audit log rotation issues. First, have the kernel send
	the correct command to auditd to rotate the files. Second, have auditd
	NOT skip to the next entry in the audit directory list with the rotate
	command. There's still an issue of timeouts: auditd waits a period of
	time between rotations (30s), and the kernel waits for an indication
	from auditd that the rotation has taken place. Result is that if
	two rotations are justified within that 30s period, no rotation will
	take place until auditd is restarted.

Affected files ...

.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#6 edit
.. //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#6 edit
.. //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#7 edit
.. //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#11 edit

Differences ...

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/Makefile#6 (text+ko) ====

@@ -8,9 +8,9 @@
 
 all: audit_warn auditd
 audit_warn: audit_warn.c
-	$(CC) -c audit_warn.c -o audit_warn.o
+	$(CC) $(CFLAGS) -c audit_warn.c -o audit_warn.o
 auditd: auditd.c
-	$(CC) -lbsm auditd.c audit_warn.o -o auditd
+	$(CC) $(CFLAGS) -lbsm auditd.c audit_warn.o -o auditd
 
 install:
 	install -d /usr/share/man/man8

==== //depot/projects/trustedbsd/audit3/contrib/audit_supt/auditd/auditd.c#6 (text+ko) ====

@@ -178,6 +178,8 @@
 	/* try until we succeed */
 	while((dirent = TAILQ_FIRST(&dir_q))) {
 		if((fn = affixdir(timestr, dirent)) == NULL) {
+			syslog(LOG_INFO, "Failed to swap log  at time %s\n", 
+				timestr);
 			return -1;
 		}
 
@@ -198,7 +200,7 @@
 			return 0;
 		}
 
-		/* Tell the administrator about lack of permissions for dirent */ 
+		/* Tell the administrator about lack of permissions for dir */ 
 		audit_warn_getacdir(dirent->dirname);
 
 		/* Try again with a different directory */
@@ -206,6 +208,7 @@
 		free(dirent->dirname);
 		free(dirent);
 	}
+	syslog(LOG_INFO, "Log directories exhausted\n");
 	return -1;
 }
 
@@ -435,23 +438,25 @@
 
 	if(gettimeofday(&ts, &tzp) == 0) {
 		tt = (time_t)ts.tv_sec;
-		if ((flags == last_flags) && (tt < (last_time + DUPLICATE_INTERVAL))) {
+		if ((flags == last_flags) && 
+		    (tt < (last_time + DUPLICATE_INTERVAL))) {
 			return 0;
 		}
 		last_flags = flags;
 		last_time = tt;
 	}
 
-		syslog(LOG_INFO, 
-		  "handle_audit_trigger() called within auditd with flags = %d\n",
+	syslog(LOG_INFO, 
+	  "handle_audit_trigger() called within auditd with flags = %d\n",
 			flags);
 	/* 
-	 * XXX Message processing is done here 
+	 * Message processing is done here 
  	 */
 	dirent = TAILQ_FIRST(&dir_q); 
 	switch(flags) {
 
 	case AUDITD_TRIGGER_LOW_SPACE:
+		syslog(LOG_INFO, "Got low space trigger\n");
 		if(dirent && (dirent->softlim != 1)) {
 			TAILQ_REMOVE(&dir_q, dirent, dirs);
 				/* add this node to the end of the list */
@@ -459,7 +464,8 @@
 				audit_warn_soft(dirent->dirname);
 				dirent->softlim = 1;
 						
-			if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && swap_audit_file() == -1) {
+			if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && 
+			    swap_audit_file() == -1) {
 				syslog(LOG_ERR, "Error swapping audit file\n");
 			}
 
@@ -482,23 +488,9 @@
 			audit_warn_allsoft();
 		}
 		break;
-	case AUDITD_TRIGGER_FILE_FULL:
 
-		/* delete current dir, go on to next */
-		TAILQ_REMOVE(&dir_q, dirent, dirs);
-        	audit_warn_hard(dirent->dirname);
-        	free(dirent->dirname);
-        	free(dirent);
-
-		if(swap_audit_file() == -1) {
-			syslog(LOG_ERR, "Error swapping audit file in "
-		 	    "response to AUDITD_TRIGGER_FILE_FULL message\n");	
-	
-			/* Nowhere to write to */
-			audit_warn_allhard(++allhardcount);
-		}
-		break;
 	case AUDITD_TRIGGER_OPEN_NEW :
+		syslog(LOG_INFO, "Got open new trigger\n");
 		/* create a new file and swap with the one being 
 		 * used in kernel */
 		if(swap_audit_file() == -1) {
@@ -507,12 +499,14 @@
 		break;
 
 	case AUDITD_TRIGGER_READ_FILE :
+		syslog(LOG_INFO, "Got read file trigger\n");
 		if(read_control_file() == -1) {
 			syslog(LOG_ERR, "Error in audit control file\n");				
 		}
 		break;
 
 	case AUDITD_TRIGGER_CLOSE_AND_DIE : 
+		syslog(LOG_INFO, "Got close and die trigger\n");
 		rc = close_all();
 		exit (rc);
 		break;

==== //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#7 (text+ko) ====

@@ -45,10 +45,9 @@
  * Triggers for the audit daemon
  */
 #define AUDITD_TRIGGER_LOW_SPACE	1
-#define AUDITD_TRIGGER_FILE_FULL	2
-#define AUDITD_TRIGGER_OPEN_NEW 	3
-#define AUDITD_TRIGGER_READ_FILE 	4
-#define AUDITD_TRIGGER_CLOSE_AND_DIE 	5
+#define AUDITD_TRIGGER_OPEN_NEW 	2
+#define AUDITD_TRIGGER_READ_FILE 	3
+#define AUDITD_TRIGGER_CLOSE_AND_DIE 	4
 
 /*
  * Pre-defined audit IDs

==== //depot/projects/trustedbsd/audit3/sys/security/audit/kern_audit.c#11 (text+ko) ====

@@ -285,14 +285,14 @@
 		    (audit_file_rotate_wait == 0) && 
 		    (vattr.va_size >= audit_fstat.af_filesz)) {
 			audit_file_rotate_wait = 1;
-			trigger = AUDITD_TRIGGER_FILE_FULL;
+			trigger = AUDITD_TRIGGER_OPEN_NEW;
 			ret = vn_rdwr(UIO_WRITE, auditd_ctl_vp, 
 			    (void *)&trigger, sizeof(trigger), 
 			    (off_t)0, UIO_SYSSPACE, IO_APPEND|IO_UNIT, 
 		 	    cred, NULL, NULL, td);
 			if (ret != 0) {
 				printf(
-    "Failed audit_triggers(AUDIT_TRIGGER_FILE_FULL): %d\n", ret);
+    "Failed audit_triggers(AUDITD_TRIGGER_OPEN_NEW): %d\n", ret);
 			/* XXX what to do here? */
 			}
 		}