difficulty with TYPE

difficulty with TYPE

[Abhishek Gupta]

[-- Attachment #1.1: Type: text/plain, Size: 4687 bytes --]

i tried to run auditdispatcher from
http://people.redhat.com/sgrubb/audit/audit-rt-events.txt with little
modification.
i converted TYPE numeric value to name using audit library function
"audit_msg_type_to_name".
Then i printed audit TYPE number with corresponding name using above
function.
The program is running fine but i have little doubt.

i restarted audit daemon
i changed login to some other user and back to root. to generate records as
USER_LOGIN,USER_AUTH,etc
and looked to syslog where i have printed messages from program.


I got this output :
type=1305 typename=CONFIG_CHANGE, payload size=110
type=539770685 typename=(null), payload size=1836213620
type=1836213620 typename=(null), payload size=1818324585
type=1702109228 typename=(null), payload size=1852403058

first one is ok but look  at the rest lines.
so what does type=539770685means? how does this numeric values maps to
USER_AUTH,USER_ACCT,etc
why typename coming out to be null?
Please help.
here is the code:
----------------------------------------------------------------------------------------------------------------------------------------
//change mode of binary version of this file as "chmod 0750 skeleton" very
very important
//switch off selinux by command "setenforce 0" or use GUI application
//data from audit daemon is "header+msg"
//header has field like type,etc which is an integer,map that type number
with macros defined in linuxaudit.h
//msg contains various fields specific to the type number
//note down important security specific type number and create table for
each type with fields that type contains
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
#include <string.h>
#include <locale.h>
#include "libaudit.h"


// Local data
static volatile int signaled = 0;
static int pipe_fd;
static const char *pgm = "skeleton";

// Local functions
static int event_loop(void);

// SIGTERM handler
static void term_handler( int sig )
{
    signaled = 1;
}


/*
 * main is started by auditd. See dispatcher in auditd.conf
 */
int main(int argc, char *argv[])
{
    struct sigaction sa;

    setlocale (LC_ALL, "");
    openlog(pgm, LOG_PID, LOG_DAEMON);
    syslog(LOG_NOTICE, "starting ABHISHEK...");

#ifndef DEBUG
    // Make sure we are root
    if (getuid() != 0) {
        syslog(LOG_ERR, "You must be root to run this program.");
        return 4;
    }
#endif

    // register sighandlers
    sa.sa_flags = 0 ;
    sa.sa_handler = term_handler;
    sigemptyset( &sa.sa_mask ) ;
    sigaction( SIGTERM, &sa, NULL );
    sa.sa_handler = term_handler;
    sigemptyset( &sa.sa_mask ) ;
    sigaction( SIGCHLD, &sa, NULL );
    sa.sa_handler = SIG_IGN;
    sigaction( SIGHUP, &sa, NULL );
    (void)chdir("/");

    // change over to pipe_fd
    pipe_fd = dup(0);
    close(0);
    open("/dev/null", O_RDONLY);
    fcntl(pipe_fd, F_SETFD, FD_CLOEXEC);

    // Start the program
    return event_loop();
}

static int event_loop(void)
{
    void* data;
    int i=0;
    struct iovec vec[2];
    struct audit_dispatcher_header hdr;
   + const char *typename;
    int res;

    // allocate data structures
    data = malloc(MAX_AUDIT_MESSAGE_LENGTH);
    if (data == NULL) {
        syslog(LOG_ERR, "Cannot allocate buffer");
        return 1;
    }
    memset(data, 0, MAX_AUDIT_MESSAGE_LENGTH);
    memset(&hdr, 0, sizeof(hdr));


    do {
        int rc;
        struct timeval tv;
        fd_set fd;

        tv.tv_sec = 1;
        tv.tv_usec = 0;
        FD_ZERO(&fd);
        FD_SET(pipe_fd, &fd);
        rc = select(pipe_fd+1, &fd, NULL, NULL, &tv);
        if (rc == 0)
            continue;
         else if (rc == -1)
            break;

        /* Get header first. it is fixed size */
        vec[0].iov_base = (void*)&hdr;
        vec[0].iov_len = sizeof(hdr);

            // Next payload
        vec[1].iov_base = data;
        vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;

        rc = readv(pipe_fd, vec, 2);
        if (rc == 0 || rc == -1) {
            syslog(LOG_ERR, "rc == %d(%s)", rc, strerror(errno));
            break;
        }

        // handle events here. Just for illustration, we print
        // to syslog, but you will want to do something else.


   +     typename=audit_msg_type_to_name(hdr.type);
   +  syslog(LOG_NOTICE,"type=%d typename=%s, payload size=%d",hdr.type
,typename,hdr.size);
        //syslog(LOG_NOTICE,"data=\"%.*s\"", hdr.size,(char *)data);

    } while(!signaled);

    return 0;
}
------------------------------------------------------------------------------------------------------------------------------------------

[-- Attachment #1.2: Type: text/html, Size: 7442 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: difficulty with TYPE

[James Antill]

[-- Attachment #1.1: Type: text/plain, Size: 1238 bytes --]


On Tue, 2008-01-15 at 12:44 +0530, Abhishek Gupta wrote:
> i tried to run auditdispatcher from
> http://people.redhat.com/sgrubb/audit/audit-rt-events.txt with little
> modification.
> i converted TYPE numeric value to name using audit library function
> "audit_msg_type_to_name". 
> Then i printed audit TYPE number with corresponding name using above
> function.
> The program is running fine but i have little doubt.
[...]
>         /* Get header first. it is fixed size */
>         vec[0].iov_base = (void*)&hdr;
>         vec[0].iov_len = sizeof(hdr);
> 
>             // Next payload 
>         vec[1].iov_base = data;
>         vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;
> 
>         rc = readv(pipe_fd, vec, 2);
>         if (rc == 0 || rc == -1) {

 The second iovec above can't just be MAX_AUDIT_MESSAGE_LENGTH, or if
there are two messages you'll read some/all of the next one(s). You
either need to read the header first and then use hdr.size, or separate
the IO from the parsing.
 Also you can't just check for readv() as above, you need to check that
you've read the amount of data you want, and if you didn't get it all
yet then loop. 

-- 
James Antill <james.antill@redhat.com>
Red Hat

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: difficulty with TYPE

[John Dennis]

James Antill wrote:
>  The second iovec above can't just be MAX_AUDIT_MESSAGE_LENGTH, or if
> there are two messages you'll read some/all of the next one(s). You
> either need to read the header first and then use hdr.size, or separate
> the IO from the parsing.
>  Also you can't just check for readv() as above, you need to check that
> you've read the amount of data you want, and if you didn't get it all
> yet then loop. 

This is why we provide libraries to do things like this, it can be 
tricky to get right. The feed() interface to auparse consumes arbitrary 
amounts of data (perfect for use in select/recv calls) and then calls 
back with audit events as they are recognized in the input stream you 
fed it.
-- 
John Dennis <jdennis@redhat.com>

Re: difficulty with TYPE

[James Antill]

[-- Attachment #1.1: Type: text/plain, Size: 870 bytes --]


On Tue, 2008-01-15 at 08:58 -0500, John Dennis wrote:
> James Antill wrote:
> >  The second iovec above can't just be MAX_AUDIT_MESSAGE_LENGTH, or if
> > there are two messages you'll read some/all of the next one(s). You
> > either need to read the header first and then use hdr.size, or separate
> > the IO from the parsing.
> >  Also you can't just check for readv() as above, you need to check that
> > you've read the amount of data you want, and if you didn't get it all
> > yet then loop. 
> 
> This is why we provide libraries to do things like this, it can be 
> tricky to get right. The feed() interface to auparse consumes arbitrary 

 auparse_feed() works off log files and the audispd "string" format. The
above code was using the auditd -> audispd format, so that API doesn't
work.

-- 
James Antill <james.antill@redhat.com>
Red Hat

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: difficulty with TYPE

[Steve Grubb]

On Tuesday 15 January 2008 08:33:59 James Antill wrote:
> >         /* Get header first. it is fixed size */
> >         vec[0].iov_base = (void*)&hdr;
> >         vec[0].iov_len = sizeof(hdr);
> >
> >             // Next payload
> >         vec[1].iov_base = data;
> >         vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH;
> >
> >         rc = readv(pipe_fd, vec, 2);
> >         if (rc == 0 || rc == -1) {
>
>  The second iovec above can't just be MAX_AUDIT_MESSAGE_LENGTH, or if
> there are two messages you'll read some/all of the next one(s).

I am fixing the example code to match the code in 1.6.5's audispd program. The 
example code was included 2 years ago before we had a working audispd program 
so that people that were ambitious could write their own. At this point, 
audispd is working and people can just code plugins which auparse does work 
with when the string mode is selected for output format. See the audispd man 
page for more info.

-Steve

Re: difficulty with TYPE

[John Dennis]

James Antill wrote:
> On Tue, 2008-01-15 at 08:58 -0500, John Dennis wrote:
>> James Antill wrote:
>>>  The second iovec above can't just be MAX_AUDIT_MESSAGE_LENGTH, or if
>>> there are two messages you'll read some/all of the next one(s). You
>>> either need to read the header first and then use hdr.size, or separate
>>> the IO from the parsing.
>>>  Also you can't just check for readv() as above, you need to check that
>>> you've read the amount of data you want, and if you didn't get it all
>>> yet then loop. 
>> This is why we provide libraries to do things like this, it can be 
>> tricky to get right. The feed() interface to auparse consumes arbitrary 
> 
>  auparse_feed() works off log files and the audispd "string" format. The
> above code was using the auditd -> audispd format, so that API doesn't
> work.

Then it needs to be fixed to also work with the old binary protocol. But 
on the other hand, the binary protocol is deprecated and won't be used 
with the new audispd so perhaps it's moot.

FWIW, setroubleshoot supports automatic detection of the audispd 
protocol and utilizes a feed interface so if backwards compatibility is 
important for auparse we already have a proof of concept implementation 
of how to do this.

-- 
John Dennis <jdennis@redhat.com>

Re: difficulty with TYPE

[Steve Grubb]

On Tuesday 15 January 2008 09:41:38 John Dennis wrote:
> >  auparse_feed() works off log files and the audispd "string" format. The
> > above code was using the auditd -> audispd format, so that API doesn't
> > work.

Agreed.

> Then it needs to be fixed to also work with the old binary protocol.

NACK. auparse was meant for string representation of audit events.


> But on the other hand, the binary protocol is deprecated and won't be used
> with the new audispd so perhaps it's moot.

Correct.

-Steve