Consider the following situation:

The sender has .not_terminated file. It gets disconnected. The last trail file is then terminated without adding new data (this can happen for example when auditd is being stopped on the sender). After reconnect the .not_terminated was not renamed on the receiver as it should. We were already handling similar situation where the sender crashed and the .not_terminated trail file was renamed to .crash_recovery. Extend this case to handle the situation above.
svn path=/head/; revision=341675
2018-12-07 03:13:36 +00:00 · 2018-12-07 03:13:36 +00:00 · 4926792bc9 · 2020-12-20 02:59:44 +00:00
commit 4926792bc9
parent af7dcae0e2
1 changed files with 7 additions and 1 deletions
--- a/contrib/openbsm/bin/auditdistd/trail.c
+++ b/contrib/openbsm/bin/auditdistd/trail.c
@ -264,6 +264,12 @@ trail_start(struct trail *trail, const char *filename, off_t offset)
 	 * 2. It is fully sent, but is not terminated, so new data can be
 	 *    appended still, or
 	 * 3. It is fully sent but file name has changed.
+	 *    There are two cases here:
+	 *    3a. Sender has crashed and the name has changed from
+	 *        .not_terminated to .crash_recovery.
+	 *    3b. Sender was disconnected, no new data was added to the file,
+	 *        but its name has changed from .not_terminated to terminated
+	 *        name.
 	 *
 	 * Note that we are fine if our .not_terminated or .crash_recovery file
 	 * is smaller than the one on the receiver side, as it is possible that
@ -275,7 +281,7 @@ trail_start(struct trail *trail, const char *filename, off_t offset)
 	    (offset >= sb.st_size &&
 	     trail_is_not_terminated(trail->tr_filename)) ||
 	    (offset >= sb.st_size && trail_is_not_terminated(filename) &&
-	     trail_is_crash_recovery(trail->tr_filename))) {
+	     !trail_is_not_terminated(trail->tr_filename))) {
 		/* File was not fully send. Let's finish it. */
 		if (lseek(fd, offset, SEEK_SET) == -1) {
 			pjdlog_errno(LOG_ERR,