bin/149806: [patch] OpenBSM auditd(8) fails to expire trails if
host defined
Janne Snabb
snabb at epipe.com
Thu Aug 19 15:40:04 UTC 2010
>Number: 149806
>Category: bin
>Synopsis: [patch] OpenBSM auditd(8) fails to expire trails if host defined
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 19 15:40:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Janne Snabb <snabb at epipe.com>
>Release: FreeBSD 8.1-RELEASE i386
>Organization:
EPIPE Communications
>Environment:
At least 8.0-RELEASE, 8.1-RELEASE and -CURRENT on any architecture.
>Description:
OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.
This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.
>How-To-Repeat:
Add the following:
host:192.168.1.1
...in /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).
(Re-)start auditd.
Produce enough audit records to reach the expiration limit.
You will notice that nothing gets expired. /var/audit will grow
indefinitely.
>Fix:
--- auditd_lib.c.diff begins here ---
--- contrib/openbsm/libauditd/auditd_lib.c.dist 2009-07-17 14:02:20.000000000 +0000
+++ contrib/openbsm/libauditd/auditd_lib.c 2010-08-19 14:58:52.000000000 +0000
@@ -427,11 +427,12 @@
struct audit_trail *new;
/*
* Quickly filter non-trail files.
*/
- if (dp->d_namlen != (FILENAME_LEN - 1) ||
+ if (dp->d_namlen != (FILENAME_LEN - 1 +
+ (auditd_hostlen == -1 ? 0 : auditd_hostlen + 1)) ||
#ifdef DT_REG
dp->d_type != DT_REG ||
#endif
dp->d_name[POSTFIX_LEN] != '.')
continue;
--- auditd_lib.c.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list