From owner-trustedbsd-audit@FreeBSD.ORG  Sat Nov 25 11:46:12 2006
Return-Path: <owner-trustedbsd-audit@FreeBSD.ORG>
X-Original-To: trustedbsd-audit@freebsd.org
Delivered-To: trustedbsd-audit@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4771516A4FD
	for <trustedbsd-audit@freebsd.org>;
	Sat, 25 Nov 2006 11:46:12 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3A59E43E23
	for <trustedbsd-audit@freebsd.org>;
	Sat, 25 Nov 2006 11:44:52 +0000 (GMT)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [209.31.154.41])
	by cyrus.watson.org (Postfix) with ESMTP id C29DE46D19;
	Sat, 25 Nov 2006 06:45:29 -0500 (EST)
Date: Sat, 25 Nov 2006 11:45:29 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: Martin Voros <martin_voros@yahoo.com>
In-Reply-To: <20061114122442.63529.qmail@web55506.mail.re4.yahoo.com>
Message-ID: <20061125114324.N46163@fledge.watson.org>
References: <20061114122442.63529.qmail@web55506.mail.re4.yahoo.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: trustedbsd-audit@TrustedBSD.org
Subject: Re: auditd - hostname in trail file name patch
X-BeenThere: trustedbsd-audit@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD Audit Discussion List <trustedbsd-audit.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-audit>
List-Post: <mailto:trustedbsd-audit@FreeBSD.org>
List-Help: <mailto:trustedbsd-audit-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-audit>, 
	<mailto:trustedbsd-audit-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Nov 2006 11:46:12 -0000


On Tue, 14 Nov 2006, Martin Voros wrote:

> Robert Watson <rwatson@FreeBSD.org> wrote:
> On Thu, 26 Oct 2006, Martin Voros wrote:
>
>> I've prepared another patch which put hostname in trail file name (another 
>> point from TODO list). Format is timestamp.timestamp.hostname or 
>> timestamp.not_terminated.hostname
>>
>> Again of course all comments are welcome.
>
> Having now returned from EuroBSDCon, I'm trying to catch up on e-mail.  My 
> suggestion here would be to switch to using asprintf() to de-complicate the 
> buffer length calculation, which otherwise is probably the riskiest part of 
> the change.
>
> I've prepared new patch, which use asprintf instead of strcat and malloc.

Martin,

Again, a rather long delay -- sorry about that!  Thanks for the revised patch. 
I've run into a problem with it, however -- if the hostname changes between 
when auditd opens a trail (affixdir) and when it closes if (close_lastfile), 
then the filename at creation and removal differs.  I think we need to 
rearrange things in auditd so that close_lastfile() operates on a cached copy 
of the filename, rather than attempting to reconstruct the last filename since 
it can no longer be done without maintaining state.  Is this something you 
could investigate?

Thanks,

Robert N M Watson
Computer Laboratory
University of Cambridge