[RFC][PATCH] audit: add feature audit_lost reset

Richard Guy Briggs rgb at redhat.com
Wed Dec 7 15:58:49 UTC 2016 

On 2016-12-07 10:53, Steve Grubb wrote:
> On Wednesday, December 7, 2016 10:05:30 AM EST Paul Moore wrote:
> > On Tue, Dec 6, 2016 at 10:32 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > > On 2016-12-06 19:17, Paul Moore wrote:
> > >> On Tue, Dec 6, 2016 at 12:13 AM, Richard Guy Briggs <rgb at redhat.com> 
> > >> Okay, back up ... this whole mess about atomic_xchg() was always
> > >> unrelated to my original suggestion, let's focus on my original
> > >> comment ... don't reset the counter on a AUDIT_GET, reset it on a
> > >> AUDIT_SET with an AUDIT_STATUS_LOST, does that make sense?
> > > 
> > > I understood that.  It sounds like a nice simple and straightforward
> > > method to do it but for the question of accuracy.  Please rewind to my
> > > fundamental point: How do we get an accurate reading of the last value
> > > of audit_lost before resetting it?
> > 
> > Okay, I thought you were worried about a different race, which is why
> > this discussion wasn't making much sense to me.  I understand your
> > point, but I really dislike the API; although that's not your fault,
> > it's really the only way to do it via AUDIT_GET.
> > 
> > I'd much prefer we go with the cleaner AUDIT_SET approach and just not
> > worry about the small race window.  It would only be an issue if you
> > reset the count under heavy audit load, and why would you reset the
> > lost value if you were under a heavy audit load?  That just doesn't
> > make sense.
> > 
> > I suppose we should hear from Steve on this since he was the one who
> > has been asking for this feature, although I'm pretty sure I know what
> > he is going to say.
> 
> To start with, this request comes from users of the audit system. I just 
> passed along the request. The issue is that when you do auditctl -s, you get 
> the number of records lost. If you do it the next day, you have to do math to 
> see what the one day delta is. So, to make reporting easy, they want it to be 
> reset whenever they do audictl -s.
> 
> You could also make a AUDIT_GET_RESET that gets the status and resets the 
> number atomically. Then I can add another commandline option to auditctl that 
> allows an admin to say also reset the counters. If that command line option is 
> passed, I call AUDIT_GET_RESET otherwise I call AUDIT_GET. Thought?

This would be slightly simpler in kernel implementation than the method
I proposed and would work fine, off the top of my head.

> -Steve

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list