From: Guillaume Destuynder <gdestuynder@mozilla.com>
To: linux-audit@redhat.com
Subject: Re: auparse, stdin, and AUPARSE_CB_EVENT_READY
Date: Wed, 07 Mar 2012 08:50:26 -0800 [thread overview]
Message-ID: <4F5791D2.8080201@mozilla.com> (raw)
In-Reply-To: <4F555904.8000603@tzib.net>
Below patch "fixes" it. The problem is that if you have a node name
included in the message, and that it's a long hostname, it's just not
copying a long enough string, and it will fail to parse the message
serial. When the serial is incorrect, auparse will fail to group them
and notify with AUPARSE_CB_EVENT_READY as a consequence.
Now, I write this "fixes" it because if you have a really, really long
hostname, it will fail in the same manner.
--- audit-2.1.3/auparse/auparse.c 2011-08-15 10:31:02.000000000 -0700
+++ audit-2.1.3-cef/auparse/auparse.c 2012-03-06 15:13:13.000000000 -0800
@@ -680,7 +680,7 @@
int rc = 1;
e->host = NULL;
- tmp = strndupa(b, 80);
+ tmp = strndupa(b, 100);
ptr = strtok(tmp, " ");
if (ptr) {
// Optionally grab the node - may or may not be included
A probably better fix is then:
- tmp = strndupa(b, 80);
+ tmp = strndupa(b, MAX_AUDIT_MESSAGE_LENGTH);
Or:
- tmp = strndupa(b, 80);
+ tmp = strndup(b); //potentially dangerous?
Or just do away with strtok and avoid duping strings.
Guillaume
On 03/05/2012 04:23 PM, dump@tzib.net wrote:
> Hi,
>
> I made a audispd plugin, which reads from stdin and sends the strings to
> auparse_feed() (auditd-2.1.3).
>
>
> This works fine on the command line.
>
> When called from audispd however, it gives AUPARSE_CB_EVENT_READY for
> each single message, instead of after a complete event has been parsed.
>
> So when you have 4 messages for one event:
> - each of them appear as a single event when the plugin is started via
> audispd.
> - a single even for all 4 messages appear when the plugin is started on
> the command line (and the log data fed via stdin, like cat test |
> audispd-testplugin)
>
> Looking at the write code it looks ok (audisp/audispd.c):
>
> static int write_to_plugin(event_t *e, const char *string, size_t
> string_len,
> .. (note that i'm using string type so its the string code part)
> if (conf->p->format == F_STRING) {
> do {
> rc = write(conf->p->plug_pipe[1], string, string_len);
> } while (rc < 0 && errno == EINTR);
> }
>
> Do you know what causes this behavior, and/or how to "fix" it?
>
>
> Thanks
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2012-03-07 16:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-06 0:23 auparse, stdin, and AUPARSE_CB_EVENT_READY dump
2012-03-07 16:50 ` Guillaume Destuynder [this message]
2012-03-07 17:19 ` Steve Grubb
2012-03-07 17:48 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F5791D2.8080201@mozilla.com \
--to=gdestuynder@mozilla.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.