Red Hat Bugzilla – Bug 217037
audbin cannot find old save files to process when multiple %[uth] macros appear in the name template
Last modified: 2015-01-07 19:15:08 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; cs; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8 Description of problem: When seeking for the oldest save- file to be processed by the user's notify command (-N), audbin simply compares filenames in the directory specified by the dirname part of the -S template with the basename part of the template from the beginning up to the %u macro (if any). If any other allowed macro (%h, %t) precedes %u in the template, audbin correctly creates such savefiles, but cannot find them for submitting to the notify command. Version-Release number of selected component (if applicable): laus-0.1 How reproducible: Always Steps to Reproduce: 1.Determine the actual utilization of the /var filesystems on order to specify the XX percentage that could be reached in the reasonable soon time. 2.Modify the /etc/audit/audit.conf to contain the entry: output { mode = bin; num-files = 4; file-size = 10K; ... notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%t.%u -C -T XX% -N '/bin/rm -f %f'"; ... } 3. Start auditing as appropriate, generate events to fill up /var or copy some large enough file into /var/tmp in order to reach the XX% free space limit. 4. Watch the syslog and the content of the /var/log/audit.d directory Actual Results: In the syslog, there should appear something like this: Nov 23 08:30:31 u0 audbin[27589]: saving binary audit log /var/log/audit.d/bin.0 Nov 23 08:30:31 u0 audbin[27589]: threshold 20.00 exceeded for filesystem /var/log/audit.d/. - free blocks down to 16.90% - notify command cannot be run - no old save file to process. Nov 23 08:30:31 u0 auditd[4780]: Notify command /usr/sbin/audbin -S /var/log/audit.d/save.%t.%u -C -T 20% -N '/bin/rm -f %f' exited with status 1 Nov 23 08:30:31 u0 auditd[4780]: output error Nov 23 08:30:31 u0 auditd[4780]: output error At the same time, the /var/log/audit.d directory should be similar to: -rw------- 1 root ux 134217728 Nov 23 04:27 bin.0 -rw------- 1 root ux 134217728 Nov 23 08:30 bin.1 -rw------- 1 root ux 134217728 Nov 23 08:30 bin.2 -rw------- 1 root ux 134217728 Nov 23 00:05 bin.3 -rw------- 1 root ux 134217654 Nov 22 13:07 save.1164197231.0 -rw------- 1 root ux 134217605 Nov 22 17:01 save.1164211258.0 -rw------- 1 root ux 134217686 Nov 22 21:40 save.1164228019.0 -rw------- 1 root ux 134217725 Nov 23 00:05 save.1164236748.0 -rw------- 1 root ux 134217698 Nov 23 01:12 save.1164240738.0 -rw------- 1 root ux 134217563 Nov 23 04:27 save.1164252463.0 Expected Results: Users should be warned (either in the manual page or in the comments in the example audit.conf file), that the %u macro, if used, must appear before any other variable part (macro) in the -S parameter to audbin. Alternatively, the filename matching algorithm should be modified in order to correctly recognize the macros in the filename templates. Additional info:
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.