Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
RFE Reset the Lost Record Counter
Clone this wiki locally
Add the ability to clear/reset the lost value from the output of 'auditctl -s'.
Many system admins have to tend to the audit trail. If they have lost events in a burst the counter is going to be some odd number like 876812. The next day they want to know if there have been any lost events since yesterday. Now they see 876814. They have to try to remember what yesterday's number was and do some math.
It would be easier for them if the cron job generating their daily report issues a command that resets the counter after running the report so the next day has correct number since yesterday without any math.
Implement the AUDIT_STATUS_LOST flag to the AUDIT_SET command, returning the positive lost value before atomic reset, and generating an audit log message of type CONFIG_CHANGE message with "lost=0" as the changed value and "old=" containing the value before reset. The AUDIT_STATUS_LOST flag must be exclusive or the command is ignored.
Add the "--reset-lost" option to auditctl to send the AUDIT_SET command with the AUDIT_STATUS_LOST flag to trigger a lost reset and read the positive return value representing the lost value.
Add interpreters for the new lost= field in the CONFIG_CHANGE record type.
- Develop upstream kernel patch.
- Develop upstream userspace patch.
- Develop upstream audit-testsuite patch.
Functional Testing and Verification
- Check to see if there are any lost messages from boot with "auditctl -s" and look at the "lost" value. If it is non-zero, skip to step 3.
- Since it is zero, provoke some lost messages with any number of the following: set the number of buffers low (<32); stop the audit daemon; generate traffic with a rule of your choice; restart the audit daemon; check for a non-zero "lost" value from "auditctl -s"
- Send the command "auditctl --reset-lost" and check for a non-zero "lost" value from 1 or 2.
- Send the command "auditctl -s" and check for a "lost" value of zero
- Check the audit logs for a "CONFIG_CHANGE" record containing "lost=0" and the non-zero "old=xxx" value from 1 or 2.
Suggested user command to reset the lost message counter:
Example Audit Records
The new audit record field lost= in message type "CONFIG_CHANGE" is introduced:
type=CONFIG_CHANGE msg=audit(1481792060.384:345390480): lost=0 old=66 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=1