From: "chuli" <chul@cn.fujitsu.com>
To: 'Steve Grubb' <sgrubb@redhat.com>
Cc: 'linux-audit' <linux-audit@redhat.com>
Subject: [Patch] Fix the bug of action "exec /path-to-script" can never be taken
Date: Fri, 25 Jul 2008 10:26:43 +0800 [thread overview]
Message-ID: <003701c8edfd$e10ccb40$958da70a@truly> (raw)
Hi Mr. Steve,
I set "space_left_action = exec /script" in /etc/audit/auditd.conf.
It is said that this parameter tells the system what action to take when
the system has detected that it is starting to get low on disk space (The
limitation of disk space size is set by space_left.) in the manual. But I
found the action "exec /script" will never be taken.
I found an error message "Audit daemon failed to exec null" in
/var/log/messages. The filename "/script" does not be gotten by auditd,
so though the disk space size is less than the value of "space_left",
/script does not be executed.
It has the same bug with admin_space_left_action, disk_full_action,
disk_error_action.
Here is my patch for audit-1.7.4. What's your opinion about such
modification?
Signed-off-by: Chu Li<chul@cn.fujitsu.com>
---
diff --git a/src/auditd-config.c b/src/auditd-config.c
index 8a81b46..a7a939e 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -892,17 +892,13 @@ static int space_action_parser(struct nv_pair *nv, int
line,
email_command);
}
}
- config->space_left_action = failure_actions[i].option;
- return 0;
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->space_left_exe = strdup(nv->option);
- config->space_left_action = FA_EXEC;
- return 0;
}
+ config->space_left_action = failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1021,19 +1017,15 @@ static int admin_space_left_action_parser(struct
nv_pair *nv, int line,
email_command);
}
}
- config->admin_space_left_action =
- failure_actions[i].option;
- return 0;
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->admin_space_left_exe =
strdup(nv->option);
- config->admin_space_left_action = FA_EXEC;
- return 0;
}
+ config->admin_space_left_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1049,25 +1041,20 @@ static int disk_full_action_parser(struct nv_pair *nv,
int line,
nv->value);
for (i=0; failure_actions[i].name != NULL; i++) {
if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
- if (failure_actions[i].option != FA_EMAIL) {
- config->disk_full_action =
- failure_actions[i].option;
- return 0;
- } else {
+ if (failure_actions[i].option == FA_EMAIL ) {
audit_msg(LOG_ERR,
"Illegal option %s for disk_full_action - line %d",
nv->value, line);
return 1;
}
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->disk_full_exe = strdup(nv->option);
- config->disk_full_action = FA_EXEC;
- return 0;
}
+ config->disk_full_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1083,25 +1070,20 @@ static int disk_error_action_parser(struct nv_pair
*nv, int line,
nv->value);
for (i=0; failure_actions[i].name != NULL; i++) {
if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
- if (failure_actions[i].option != FA_EMAIL) {
- config->disk_error_action =
- failure_actions[i].option;
- return 0;
- } else {
- audit_msg(LOG_ERR,
- "Illegal option %s for disk_error_action - line %d",
+ if (failure_actions[i].option == FA_EMAIL ) {
+ audit_msg(LOG_ERR,
+ "Illegal option %s for disk_error_action - line %d",
nv->value, line);
return 1;
}
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->disk_error_exe = strdup(nv->option);
- config->disk_error_action = FA_EXEC;
- return 0;
}
+ config->disk_error_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
Regards
Chu Li
next reply other threads:[~2008-07-25 2:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-25 2:26 chuli [this message]
2008-07-25 20:02 ` [Patch] Fix the bug of action "exec /path-to-script" can never be taken Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='003701c8edfd$e10ccb40$958da70a@truly' \
--to=chul@cn.fujitsu.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox