Bug 217037 - audbin cannot find old save files to process when multiple %[uth] macros appear in the name template
Summary: audbin cannot find old save files to process when multiple %[uth] macros appe...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-23 11:11 UTC by Zdenek Precek
Modified: 2015-01-08 00:15 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-19 18:39:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Zdenek Precek 2006-11-23 11:11:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; cs; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8

Description of problem:
When seeking for the oldest save- file to be processed by the user's notify command (-N), audbin simply compares filenames in the directory specified by the  dirname part of the -S template with the basename part of the template from the beginning up to the %u macro (if any). If any other allowed macro (%h, %t) precedes %u in the template, audbin correctly creates such savefiles, but cannot find them for submitting to the notify command.

Version-Release number of selected component (if applicable):
laus-0.1

How reproducible:
Always


Steps to Reproduce:
1.Determine the actual utilization of the /var filesystems on order to specify the XX percentage that could be reached in the reasonable soon time.

2.Modify the /etc/audit/audit.conf to contain the entry:
output {
 mode	= bin;
 num-files	= 4;
 file-size	= 10K;
 ...
 notify	= "/usr/sbin/audbin -S /var/log/audit.d/save.%t.%u -C -T XX% -N '/bin/rm -f %f'";
 ...
}

3. Start auditing as appropriate, generate events to fill up /var or copy some large enough file into /var/tmp in order to reach the XX% free space limit.


4. Watch the syslog and the content of the /var/log/audit.d directory

Actual Results:
In the syslog, there should appear something like this:
Nov 23 08:30:31 u0 audbin[27589]: saving binary audit log /var/log/audit.d/bin.0
Nov 23 08:30:31 u0 audbin[27589]: threshold 20.00 exceeded for filesystem /var/log/audit.d/. - free blocks down to 16.90% - notify command cannot be run - no old save file to process.
Nov 23 08:30:31 u0 auditd[4780]: Notify command /usr/sbin/audbin -S /var/log/audit.d/save.%t.%u -C -T 20% -N '/bin/rm -f %f' exited with status 1
Nov 23 08:30:31 u0 auditd[4780]: output error
Nov 23 08:30:31 u0 auditd[4780]: output error

At the same time, the /var/log/audit.d directory should be similar to:
-rw-------    1 root     ux       134217728 Nov 23 04:27 bin.0
-rw-------    1 root     ux       134217728 Nov 23 08:30 bin.1
-rw-------    1 root     ux       134217728 Nov 23 08:30 bin.2
-rw-------    1 root     ux       134217728 Nov 23 00:05 bin.3
-rw-------    1 root     ux       134217654 Nov 22 13:07 save.1164197231.0
-rw-------    1 root     ux       134217605 Nov 22 17:01 save.1164211258.0
-rw-------    1 root     ux       134217686 Nov 22 21:40 save.1164228019.0
-rw-------    1 root     ux       134217725 Nov 23 00:05 save.1164236748.0
-rw-------    1 root     ux       134217698 Nov 23 01:12 save.1164240738.0
-rw-------    1 root     ux       134217563 Nov 23 04:27 save.1164252463.0




Expected Results:
Users should be warned (either in the manual page or in the comments in the example audit.conf file), that the %u macro, if used, must appear before any other variable part (macro) in the -S parameter to audbin.

Alternatively, the filename matching algorithm should be modified in order to correctly recognize the macros in the filename templates.

Additional info:

Comment 1 RHEL Program Management 2007-10-19 18:39:56 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.


Note You need to log in before you can comment on or make changes to this bug.