[PATCH] ausearch: Add checkpoint capability and have incomplete logs carry forward when processing multiple audit.log files

Steve Grubb sgrubb at redhat.com
Mon May 13 21:50:48 UTC 2013 

On Tuesday, May 14, 2013 06:51:17 AM Burn Alting wrote:
> If you hold off, I will separate these later today and re-submit.

I have applied the portion of the patch that fixes the second issue as commit 
831. I extended it to also give the same treatment to aureport since its file 
processing code is very similar to ausearch. I'll send the checkpoint patch 
separately to make sure we are sync'ed.

-Steve


> > On Saturday, May 11, 2013 03:59:34 PM Burn Alting wrote:
> > > Attached is a patch for review.
> > > 
> > > It is against revision 829 within http://svn.fedorahosted.org/svn/audit
> > > 
> > > This patch
> > > 
> > > - allows ausearch to checkpoint itself, in that, successive invocations
> > > will only display new events. This is enabled via the --checkpoint fn
> > > option. The mods to ausearch.8 describe the method of achieving this.
> > > 
> > > - fixes a minor annoyance/bug in that, when ausearch processes events
> > > from multiple audit.log files, incomplete events are considered as
> > > complete (and hence printed) when ausearch encounters an EOF on input
> > > from all the log files being processed. Now, ausearch only flushes
> > > incomplete events on the last log file being processed.
> > 
> > First of all, Thanks for submitting the patch. Its nice to have a
> > problem/feature request that has a solution attached. :-)
> > 
> > But if at all possible, I'd really like to keep bug fixes and features
> > separated in patches. There are some distributions that would pick up the
> > bug fix, but hold the feature until next OS version. It also lets one
> > patch proceed to get applied should more discussion be required on the
> > other portion. And should one introduce a new problem, it will allow
> > bisecting to more closely pinpoint the patch that caused the problem.
> > 
> > I'll try to separate these. I think, from reading the code, the portion
> > that addresses not flushing on EOF is simple and straightforward and can
> > be applied. The other piece may need some discussion - not sure without
> > having them separated and looking it over.
> > 
> > Thanks,
> > -Steve

More information about the Linux-audit mailing list