RFE Reset the Lost Record Counter

Richard Guy Briggs edited this page Feb 9, 2017 · 4 revisions

Feature Description

Add the ability to clear/reset the lost value from the output of 'auditctl -s'.

Many system admins have to tend to the audit trail. If they have lost events in a burst the counter is going to be some odd number like 876812. The next day they want to know if there have been any lost events since yesterday. Now they see 876814. They have to try to remember what yesterday's number was and do some math.

It would be easier for them if the cron job generating their daily report issues a command that resets the counter after running the report so the next day has correct number since yesterday without any math.

Feature Design

Implement the AUDIT_STATUS_LOST flag to the AUDIT_SET command, returning the positive lost value before atomic reset, and generating an audit log message of type CONFIG_CHANGE message with "lost=0" as the changed value and "old=" containing the value before reset. The AUDIT_STATUS_LOST flag must be exclusive or the command is ignored.

Add the "--reset-lost" option to auditctl to send the AUDIT_SET command with the AUDIT_STATUS_LOST flag to trigger a lost reset and read the positive return value representing the lost value.

Add interpreters for the new lost= field in the CONFIG_CHANGE record type.

Development Tasks

  1. Develop upstream kernel patch.
  2. Develop upstream userspace patch.
  3. Develop upstream audit-testsuite patch.

Functional Testing and Verification

  1. Check to see if there are any lost messages from boot with "auditctl -s" and look at the "lost" value. If it is non-zero, skip to step 3.
  2. Since it is zero, provoke some lost messages with any number of the following: set the number of buffers low (<32); stop the audit daemon; generate traffic with a rule of your choice; restart the audit daemon; check for a non-zero "lost" value from "auditctl -s"
  3. Send the command "auditctl --reset-lost" and check for a non-zero "lost" value from 1 or 2.
  4. Send the command "auditctl -s" and check for a "lost" value of zero
  5. Check the audit logs for a "CONFIG_CHANGE" record containing "lost=0" and the non-zero "old=xxx" value from 1 or 2.

Example Usage

Suggested user command to reset the lost message counter:

auditctl --reset-lost

Example Audit Records

The new audit record field lost= in message type "CONFIG_CHANGE" is introduced:

type=CONFIG_CHANGE msg=audit(1481792060.384:345390480): lost=0 old=66 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1

Bugzilla and Issue Trackers

https://github.com/linux-audit/audit-kernel/issues/3