Date: Thu, 19 Aug 2010 15:35:06 GMT From: Janne Snabb <snabb@epipe.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/149806: [patch] OpenBSM auditd(8) fails to expire trails if host defined Message-ID: <201008191535.o7JFZ63L010843@tiktik.epipe.com> Resent-Message-ID: <201008191540.o7JFe3x8080662@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 149806 >Category: bin >Synopsis: [patch] OpenBSM auditd(8) fails to expire trails if host defined >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Aug 19 15:40:03 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Janne Snabb <snabb@epipe.com> >Release: FreeBSD 8.1-RELEASE i386 >Organization: EPIPE Communications >Environment: At least 8.0-RELEASE, 8.1-RELEASE and -CURRENT on any architecture. >Description: OpenBSM auditd(8) fails to expire audit trail files if the "host" parameter is defined in /etc/security/audit_control. This is caused by improper filtering of file names in the auditd_expire_trails() function of libauditd(3). The filtering works correctly if "host" parameter has not been defined. >How-To-Repeat: Add the following: host:192.168.1.1 ...in /etc/security/audit_control as well as some expiration limit ("expire-after" parameter). (Re-)start auditd. Produce enough audit records to reach the expiration limit. You will notice that nothing gets expired. /var/audit will grow indefinitely. >Fix: --- auditd_lib.c.diff begins here --- --- contrib/openbsm/libauditd/auditd_lib.c.dist 2009-07-17 14:02:20.000000000 +0000 +++ contrib/openbsm/libauditd/auditd_lib.c 2010-08-19 14:58:52.000000000 +0000 @@ -427,11 +427,12 @@ struct audit_trail *new; /* * Quickly filter non-trail files. */ - if (dp->d_namlen != (FILENAME_LEN - 1) || + if (dp->d_namlen != (FILENAME_LEN - 1 + + (auditd_hostlen == -1 ? 0 : auditd_hostlen + 1)) || #ifdef DT_REG dp->d_type != DT_REG || #endif dp->d_name[POSTFIX_LEN] != '.') continue; --- auditd_lib.c.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008191535.o7JFZ63L010843>