Date: Sat, 25 Nov 2006 11:45:29 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Martin Voros <martin_voros@yahoo.com> Cc: trustedbsd-audit@TrustedBSD.org Subject: Re: auditd - hostname in trail file name patch Message-ID: <20061125114324.N46163@fledge.watson.org> In-Reply-To: <20061114122442.63529.qmail@web55506.mail.re4.yahoo.com> References: <20061114122442.63529.qmail@web55506.mail.re4.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Nov 2006, Martin Voros wrote: > Robert Watson <rwatson@FreeBSD.org> wrote: > On Thu, 26 Oct 2006, Martin Voros wrote: > >> I've prepared another patch which put hostname in trail file name (another >> point from TODO list). Format is timestamp.timestamp.hostname or >> timestamp.not_terminated.hostname >> >> Again of course all comments are welcome. > > Having now returned from EuroBSDCon, I'm trying to catch up on e-mail. My > suggestion here would be to switch to using asprintf() to de-complicate the > buffer length calculation, which otherwise is probably the riskiest part of > the change. > > I've prepared new patch, which use asprintf instead of strcat and malloc. Martin, Again, a rather long delay -- sorry about that! Thanks for the revised patch. I've run into a problem with it, however -- if the hostname changes between when auditd opens a trail (affixdir) and when it closes if (close_lastfile), then the filename at creation and removal differs. I think we need to rearrange things in auditd so that close_lastfile() operates on a cached copy of the filename, rather than attempting to reconstruct the last filename since it can no longer be done without maintaining state. Is this something you could investigate? Thanks, Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061125114324.N46163>