Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Aug 2010 15:35:06 GMT
From:      Janne Snabb <snabb@epipe.com>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   bin/149806: [patch] OpenBSM auditd(8) fails to expire trails if host defined
Message-ID:  <201008191535.o7JFZ63L010843@tiktik.epipe.com>
Resent-Message-ID: <201008191540.o7JFe3x8080662@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         149806
>Category:       bin
>Synopsis:       [patch] OpenBSM auditd(8) fails to expire trails if host defined
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 19 15:40:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Janne Snabb <snabb@epipe.com>
>Release:        FreeBSD 8.1-RELEASE i386
>Organization:
EPIPE Communications
>Environment:
At least 8.0-RELEASE, 8.1-RELEASE and -CURRENT on any architecture.

>Description:
OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.

This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.

>How-To-Repeat:
Add the following:

host:192.168.1.1

...in /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).

(Re-)start auditd.

Produce enough audit records to reach the expiration limit.  

You will notice that nothing gets expired. /var/audit will grow
indefinitely.

>Fix:

--- auditd_lib.c.diff begins here ---
--- contrib/openbsm/libauditd/auditd_lib.c.dist	2009-07-17 14:02:20.000000000 +0000
+++ contrib/openbsm/libauditd/auditd_lib.c	2010-08-19 14:58:52.000000000 +0000
@@ -427,11 +427,12 @@
 			struct audit_trail *new;
 
 			/*
 			 * Quickly filter non-trail files.
 			 */
-			if (dp->d_namlen != (FILENAME_LEN - 1) ||
+			if (dp->d_namlen != (FILENAME_LEN - 1 +
+			    (auditd_hostlen == -1 ? 0 : auditd_hostlen + 1)) ||
 #ifdef DT_REG
 			    dp->d_type != DT_REG || 
 #endif
 			    dp->d_name[POSTFIX_LEN] != '.')
 				continue;
--- auditd_lib.c.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008191535.o7JFZ63L010843>