From owner-freebsd-bugs@FreeBSD.ORG  Thu Aug 19 15:40:03 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E3700106567A
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Aug 2010 15:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 9F5188FC08
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 19 Aug 2010 15:40:03 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7JFe3PC080663
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 19 Aug 2010 15:40:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7JFe3x8080662;
	Thu, 19 Aug 2010 15:40:03 GMT (envelope-from gnats)
Resent-Date: Thu, 19 Aug 2010 15:40:03 GMT
Resent-Message-Id: <201008191540.o7JFe3x8080662@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Janne Snabb <snabb@epipe.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AFA311065670
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 19 Aug 2010 15:35:10 +0000 (UTC)
	(envelope-from snabb@tiktik.epipe.com)
Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 49E868FC18
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 19 Aug 2010 15:35:10 +0000 (UTC)
Received: from tiktik.epipe.com (localhost [127.0.0.1])
	by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id o7JFZ6h9011136
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 19 Aug 2010 15:35:09 GMT
	(envelope-from snabb@tiktik.epipe.com)
Received: (from snabb@localhost)
	by tiktik.epipe.com (8.14.4/8.14.4/Submit) id o7JFZ63L010843;
	Thu, 19 Aug 2010 15:35:06 GMT (envelope-from snabb)
Message-Id: <201008191535.o7JFZ63L010843@tiktik.epipe.com>
Date: Thu, 19 Aug 2010 15:35:06 GMT
From: Janne Snabb <snabb@epipe.com>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: bin/149806: [patch] OpenBSM auditd(8) fails to expire trails if
	host defined
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Janne Snabb <snabb@epipe.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2010 15:40:04 -0000


>Number:         149806
>Category:       bin
>Synopsis:       [patch] OpenBSM auditd(8) fails to expire trails if host defined
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 19 15:40:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Janne Snabb <snabb@epipe.com>
>Release:        FreeBSD 8.1-RELEASE i386
>Organization:
EPIPE Communications
>Environment:
At least 8.0-RELEASE, 8.1-RELEASE and -CURRENT on any architecture.

>Description:
OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.

This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.

>How-To-Repeat:
Add the following:

host:192.168.1.1

...in /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).

(Re-)start auditd.

Produce enough audit records to reach the expiration limit.  

You will notice that nothing gets expired. /var/audit will grow
indefinitely.

>Fix:

--- auditd_lib.c.diff begins here ---
--- contrib/openbsm/libauditd/auditd_lib.c.dist	2009-07-17 14:02:20.000000000 +0000
+++ contrib/openbsm/libauditd/auditd_lib.c	2010-08-19 14:58:52.000000000 +0000
@@ -427,11 +427,12 @@
 			struct audit_trail *new;
 
 			/*
 			 * Quickly filter non-trail files.
 			 */
-			if (dp->d_namlen != (FILENAME_LEN - 1) ||
+			if (dp->d_namlen != (FILENAME_LEN - 1 +
+			    (auditd_hostlen == -1 ? 0 : auditd_hostlen + 1)) ||
 #ifdef DT_REG
 			    dp->d_type != DT_REG || 
 #endif
 			    dp->d_name[POSTFIX_LEN] != '.')
 				continue;
--- auditd_lib.c.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: