> On Tuesday 14 June 2005 11:30, Michael C Thompson wrote:
> > I was wondering, based on the amounts of sleeps we are needed to put into
> > our test cases (and this might already have been said, if so, keep the
> > flames to a low simmer) is there some way to change auditd stop to have it
> > capture all of the messages up until the point where the stop was issued?
>
> It does capture all the events up to the point the stop was issued. However,
> the stop and the messages travel in 2 different paths. One is a signal which
> entirely avoids the queue.
Alright, I'm not sure if I made my point clearly (or perhaps I am misundersanding yours), what is happening with our test cases is the following:
system("/etc/rc.d/init.d/auditd start");
...
TEST(syscall(..))
...
system("/etc/rc.d/init.d/auditd stop");
Now, the outter portion of the code here (that is, before the start, and after the stop) should not be affecting the actions taken between start and stop (seems obviously correct, could be wrong). The issue we're experiencing is that when the stop is called, the audit.log file has no trace of what has transpired between the "start" & "stop" auditd calls. However, without putting sleeps (e.g. sleep(2); seems to be the most effective) before we call "../auditd stop" then the records in file which we are hoping to verify with are not there, unless we prolong the stop (i.e. with a sleep).
As it was explained to me, the way the stop works is when auditd is told to "stop", the daemon dies, and any audit messages still in the queue are "lost" in respect to the log file. If you could confirm that, or point me to a place where that's documented and I'll read it for my self, it would help me to understand the behaviour better.
> It is assumed that when you send the stop...you really mean it. Everything
> after that is discarded.
Which makes sense, no issue there...
> > Seems to me that while this change doesn't have to come now, it would be a
> > nice addition in the future. Perhaps having the auditd stop insert a
> > message into the queue (if thats possible?)
>
> We talked about this at length. What if the new event causes a kernel panic
> due to backlog overflow? Or what if they don't have failure set to panic, the
> audit daemon is waiting for a record that will never be sent. If a shutdown
> is occurring, you won't have the audit stop message.
OK, good point. I remember it being mention during a meeting, but was there any further discussion about a "auditd stop" & "auditd shutdown" option? I know it was in regards to clearing the specified rules, but it seems it could be associated with this. Inserting a message into the queue might not be the best solution for the afore stated reasons, and while I don't have any ideas right now, doesn't mean there isn't an answer.
> > and have auditd die when it seems that message, as opposed to just dropping
> > dead when the stop is made, causing a possible (and highly probable, happens
> > all the time with our tests if they don't have sleeps) loss of information.
>
> You are in the unique position of expecting something in the logs.
> In the real
> world use, the machine is going down and you need to finish up asap or not
> audit stop message will get written.
Right, the tests we are running are not a good indicator of the way auditd's running status will be treated in a real environment, but there must be some valid reasons for stopping auditd outside of a shutdown in a real environment, which would still have this queue issue. Of course, while auditd is down, there is 0 chance at logging anything, so it could just be a moot point.
- Mike