Bug 217037 - audbin cannot find old save files to process when multiple %[uth] macros appear in the name template
audbin cannot find old save files to process when multiple %[uth] macros appe...
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2006-11-23 06:11 EST by Zdenek Precek
Modified: 2015-01-07 19:15 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 14:39:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Zdenek Precek 2006-11-23 06:11:34 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; cs; rv: Gecko/20061025 Firefox/

Description of problem:
When seeking for the oldest save- file to be processed by the user's notify command (-N), audbin simply compares filenames in the directory specified by the  dirname part of the -S template with the basename part of the template from the beginning up to the %u macro (if any). If any other allowed macro (%h, %t) precedes %u in the template, audbin correctly creates such savefiles, but cannot find them for submitting to the notify command.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Determine the actual utilization of the /var filesystems on order to specify the XX percentage that could be reached in the reasonable soon time.

2.Modify the /etc/audit/audit.conf to contain the entry:
output {
 mode	= bin;
 num-files	= 4;
 file-size	= 10K;
 notify	= "/usr/sbin/audbin -S /var/log/audit.d/save.%t.%u -C -T XX% -N '/bin/rm -f %f'";

3. Start auditing as appropriate, generate events to fill up /var or copy some large enough file into /var/tmp in order to reach the XX% free space limit.

4. Watch the syslog and the content of the /var/log/audit.d directory

Actual Results:
In the syslog, there should appear something like this:
Nov 23 08:30:31 u0 audbin[27589]: saving binary audit log /var/log/audit.d/bin.0
Nov 23 08:30:31 u0 audbin[27589]: threshold 20.00 exceeded for filesystem /var/log/audit.d/. - free blocks down to 16.90% - notify command cannot be run - no old save file to process.
Nov 23 08:30:31 u0 auditd[4780]: Notify command /usr/sbin/audbin -S /var/log/audit.d/save.%t.%u -C -T 20% -N '/bin/rm -f %f' exited with status 1
Nov 23 08:30:31 u0 auditd[4780]: output error
Nov 23 08:30:31 u0 auditd[4780]: output error

At the same time, the /var/log/audit.d directory should be similar to:
-rw-------    1 root     ux       134217728 Nov 23 04:27 bin.0
-rw-------    1 root     ux       134217728 Nov 23 08:30 bin.1
-rw-------    1 root     ux       134217728 Nov 23 08:30 bin.2
-rw-------    1 root     ux       134217728 Nov 23 00:05 bin.3
-rw-------    1 root     ux       134217654 Nov 22 13:07 save.1164197231.0
-rw-------    1 root     ux       134217605 Nov 22 17:01 save.1164211258.0
-rw-------    1 root     ux       134217686 Nov 22 21:40 save.1164228019.0
-rw-------    1 root     ux       134217725 Nov 23 00:05 save.1164236748.0
-rw-------    1 root     ux       134217698 Nov 23 01:12 save.1164240738.0
-rw-------    1 root     ux       134217563 Nov 23 04:27 save.1164252463.0

Expected Results:
Users should be warned (either in the manual page or in the comments in the example audit.conf file), that the %u macro, if used, must appear before any other variable part (macro) in the -S parameter to audbin.

Alternatively, the filename matching algorithm should be modified in order to correctly recognize the macros in the filename templates.

Additional info:
Comment 1 RHEL Product and Program Management 2007-10-19 14:39:56 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.