MB-28651: Ensure audit.log exists as much as possible

The changes documented below are to ensure that the audit.log file
almost always exists and open available for writing.

Note: It is not possible for the file to always exist because when
we rotate the file we close the current one, rename and open the new
one.

The changes are as follows:

Create the audit.log file immediately after a file rotation occurs (as
opposed to when a new audit event is recieved).

If the log file is due to rotate, but it is currently empty,
instead of closing the file, keep it open and update the open_time
so that the next rotation will occur at the correct time.

If there is a failure writing to disk, which causes us to close (and
possibly rotate) the audit file, make sure that the file exists and is
re-opened immediately afterwards.

Change-Id: Ib93abf1d45eb36c15b6f2dee438f9956894fff58
Reviewed-on: http://review.couchbase.org/90599
Reviewed-by: Trond Norbye <[email protected]>
Tested-by: Build Bot <[email protected]>

Author: owend74

auditd/src/audit.cc

@@ -408,7 +408,12 @@ bool Audit::configure(void) {
         }
     }
 
-    if (!config.is_auditd_enabled()) {
+    if (config.is_auditd_enabled()) {
+        // If the write_event_to_disk function returns false then it is
+        // possible the audit file has been closed.  Therefore ensure
+        // the file is open.
+        auditfile.ensure_open();
+    } else {
         // Audit is disabled, ensure that the audit file is closed
         auditfile.close();
     }

auditd/src/auditd.cc

@@ -52,7 +52,11 @@ static void consume_events(void* arg) {
                               audit.auditfile.get_seconds_to_rotation() * 1000);
             if (audit.filleventqueue->empty()) {
                 // We timed out, so just rotate the files
-                audit.auditfile.maybe_rotate_files();
+                if (audit.auditfile.maybe_rotate_files()) {
+                    // If the file was rotated then we need to open a new
+                    // audit.log file.
+                    audit.auditfile.ensure_open();
+                }
             }
         }
         /* now have producer_consumer lock!

auditd/src/auditfile.cc

@@ -263,6 +263,8 @@ bool AuditFile::write_event_to_disk(cJSON *output) {
     } else {
         log_error(AuditErrorCode::MEMORY_ALLOCATION_ERROR,
                   "failed to convert audit event");
+        // Failed to write event to disk.
+        return false;
     }
 
     return ret;

auditd/src/auditfile.h

@@ -48,6 +48,13 @@ class AuditFile {
      */
     bool maybe_rotate_files(void) {
         if (is_open() && time_to_rotate_log()) {
+            if (is_empty()) {
+                // Given the audit log is empty on rotation instead of
+                // closing and then re-opening we can just keep open and
+                // update the open_time.
+                open_time = auditd_time();
+                return true;
+            }
             close_and_rotate_log();
             return true;
         }
@@ -142,6 +149,10 @@ class AuditFile {
     void set_log_directory(const std::string &new_directory);
     bool is_timestamp_format_correct(std::string& str);
 
+    bool is_empty() const {
+        return (current_size == 0);
+    }
+
     static time_t auditd_time();
 
     FILE *file;

auditd/src/event.cc

@@ -125,5 +125,10 @@ bool Event::process(Audit& audit) {
 
     Audit::log_error(AuditErrorCode::WRITE_EVENT_TO_DISK_ERROR,
                      to_string(json_payload, false));
+
+    // If the write_event_to_disk function returns false then it is
+    // possible the audit file has been closed.  Therefore ensure
+    // the file is open.
+    audit.auditfile.ensure_open();
     return false;
 }