Closed WOnder93 closed 5 years ago
rgbriggs
commented
6 years ago First patch looks fine to me. Second patch (clear log) I'm not so comfortable with... but maybe it is the right approach. I'd use a method of limiting start of search either with a datestamp, "boot", "recent" or --checkpoint (the latter of which only recently got updated to do so on a failing search).
WOnder93
commented
6 years ago The tests already use recent, AFAIK, but I believe ausearch still needs to pass over the whole log and parse all timestamps every time, which takes a horrible amount of time if you have 10s of MBs of logs.
FWIW, I just tried working around this by tweaking the values in my auditd.conf:
-max_log_file = 8
-num_logs = 5
+max_log_file = 2
+num_logs = 3This did speed up the tests, but also now the lost_reset test keeps failing, since it doesn't manage to hit the backlog limit in time. With the original values and clearing the rotated logs, I get both lost_reset passing and also subsequent tests running acceptably fast.
pcmoore
commented
5 years ago First off, please make sure you sign-off your patches (see CONTRIBUTING.md).
That said, I'm not sure either of these patches are things we want to include in the main repo. The login_tty test is designed to explicitly test for the tty used, allowing it to work when there is no tty seems silly; I'd rather flag this case as an error. I also don't think it is a good idea to reset the audit log when finished, that is useful information.
I'm going to reject this PR right now, feel free to continue the conversation if you have additional comments.
WOnder93
commented
5 years ago First off, please make sure you sign-off your patches (see CONTRIBUTING.md).
Right, forgot about that, sorry.
That said, I'm not sure either of these patches are things we want to include in the main repo. The login_tty test is designed to explicitly test for the tty used, allowing it to work when there is no tty seems silly; I'd rather flag this case as an error.
That makes sense. I suppose the ideal solution would be to have the testsuite run a command on some unused tty (so it doesn't depend on whether the current shell has a controlling terminal or not), but I'm not sure how difficult that would be...
I also don't think it is a good idea to reset the audit log when finished, that is useful information.
OK, I can live with that not being in the upstream code.
This PR contains two small tweaks to the testsuite that I needed to do to make it run in my environment. Since they shouldn't cause any problems for others and may even help new future users, I am posting them here to be merged. See the commit messages for short explanations of the patches.