auparse_interpret_field()

auparse_interpret_field()

[Klaus Heinrich Kiwi]

env: audit 1.6.2, s390x, RHEL5 in targeted policy, permissive mode

I'm trying to assign the field name + interpreted value to a variable
inside my dispatcher plugin. something along these lines:

do {
    name = auparse_get_field_name(au);
    value = auparse_interpret_field(au);
    snprintf(data, 1023, "%s=%s", name, value);
} while (auparse_next_record(au) > 0);

but auparse is failing to interpret fields like arch and syscall. From
gdb:
(gdb) p name
$20 = 0x80037bd0 "arch"
(gdb) printf "%s\n",auparse_get_field_str(au)
80000016
(gdb) printf "%s\n",auparse_interpret_field(au)
unknown elf type(80000016)
---
(gdb) p name
$22 = 0x80037b90 "syscall"
(gdb) p auparse_get_field_str(au)
$23 = 0x8002acf0 "5"
(gdb) p auparse_interpret_field(au)
$24 = 0x8002ade0 "unknown syscall(-1)"


uid and auid are being correctly translated (at least for root). No AVCs
seen.

Am I missing something?

 Thanks,

 Klaus

Re: auparse_interpret_field()

[klausk]

[-- Attachment #1.1: Type: text/plain, Size: 1241 bytes --]

(sorry for the html)

linux-audit-bounces@redhat.com wrote on 11/08/2007 05:26:00 PM:

> env: audit 1.6.2, s390x, RHEL5 in targeted policy, permissive mode
> 
> I'm trying to assign the field name + interpreted value to a variable
> inside my dispatcher plugin. something along these lines:

Trying to debug this problem, I saw that it's happening because the record 
'machine' field in the auparse internal structure is set to '-1':
(gdb) p *r
$17 = {
  record = 0x80041510 "node=kwuser3.edincott.ibm type=SYSCALL 
msg=audit(1194628042.317:58358): arch=80000016 syscall=5 success=yes 
exit=3 a0=800ed250 a1=241 a2=1b6 a3=0 items=1 ppid=14670 pid=14672 auid=0 
uid=0 gid=0 euid=0"..., type = 0, machine = -1, syscall = -1, a0 = 0, a1 = 
0, nv = {head = 0x80039dd0, cur = 0x8002ad10, 
    cnt = 27}, item = 0, list_idx = 0, line_number = 19, next = 0x0}

Any chance this might be happening because I don't have the complete event 
(ie.: the CWD and PATH records are missing in the event) - In this case, 
this would be caused by the record loss in audispd reported in another 
thread...

 Klaus

-- 
Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]

[-- Attachment #1.2: Type: text/html, Size: 1753 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auparse_interpret_field()

[Steve Grubb]

On Friday 09 November 2007 12:15:43 klausk@br.ibm.com wrote:
> Trying to debug this problem, I saw that it's happening because the record
> 'machine' field in the auparse internal structure is set to '-1':

That would do it. Now...how did that happen? arch says its a 64 bit S390 
machine.

> (gdb) p *r
> $17 = {
>   record = 0x80041510 "node=kwuser3.edincott.ibm type=SYSCALL
> msg=audit(1194628042.317:58358): arch=80000016 syscall=5 success=yes
> exit=3 a0=800ed250 a1=241 a2=1b6 a3=0 items=1 ppid=14670 pid=14672 auid=0
> uid=0 gid=0 euid=0"..., type = 0, machine = -1, syscall = -1, a0 = 0, a1 =
> 0, nv = {head = 0x80039dd0, cur = 0x8002ad10,
>     cnt = 27}, item = 0, list_idx = 0, line_number = 19, next = 0x0}
>
> Any chance this might be happening because I don't have the complete event

Nope, this gets pulled out of syscall records.

-Steve

Re: auparse_interpret_field()

[klausk]

[-- Attachment #1.1: Type: text/plain, Size: 1981 bytes --]

Steve Grubb <sgrubb@redhat.com> wrote on 11/09/2007 12:56:41 PM:

> On Friday 09 November 2007 12:15:43 klausk@br.ibm.com wrote:
> > Trying to debug this problem, I saw that it's happening because the 
record
> > 'machine' field in the auparse internal structure is set to '-1':
> 
> That would do it. Now...how did that happen? arch says its a 64 bit S390 

> machine.
> 
>From ellist.c, function parse_up_record():
                        } else if(r->nv.cnt == 2 && strcmp(n.name, 
"arch")== 0){
                                unsigned int ival;
                                errno = 0;
                                ival = strtoul(n.val, NULL, 16);
                                if (errno) 
                                        r->machine = -1;
                                r->machine = audit_elf_to_machine(ival);
                        } else if(r->nv.cnt == 3 && strcmp(n.name,
                                                        "syscall") == 0){
                                errno = 0;
                                r->syscall = strtoul(n.val, NULL, 10);
                                if (errno)
                                        r->syscall = -1;

See that 'r->machine' and 'r->syscall' are only filled when the 'arch' 
field in found in the 2nd position, and syscall in the 3rd position 
respectively. That is not true when the dispatcher is appending a 'node=' 
field to each record.

I just confirmed this behavior by setting 'name_format = NONE' in the 
audispd configuration, and then I was capable of seeing the 'arch=' field 
correctly interpreted to 's390x'

I would provide a patch myself, but I'm not sure why you need to check the 
field position in this function (I mean, if the field is arch=, wouldn't 
it be interpreted no matter what position it is?)

Thoughts?

 Thanks,
 Klaus
-- 
Klaus Heinrich Kiwi/Brazil/IBM <klausk@br.ibm.com>
Software Engineer
IBM STG, Linux Technology Center
Phone:(+55-19) 2132-1909 [T/L 839-1909]

[-- Attachment #1.2: Type: text/html, Size: 3987 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: auparse_interpret_field()

[Steve Grubb]

On Friday 09 November 2007 14:56:05 klausk@br.ibm.com wrote:
> See that 'r->machine' and 'r->syscall' are only filled when the 'arch'
> field in found in the 2nd position, and syscall in the 3rd position
> respectively. That is not true when the dispatcher is appending a 'node='
> field to each record.

Yeah I put a FIXME in the code for that a little while ago. It needs to be 
flexible.

> I would provide a patch myself, but I'm not sure why you need to check the
> field position in this function (I mean, if the field is arch=, wouldn't
> it be interpreted no matter what position it is?)

Speed. I wanted a way to only check these things once and not slow it down for 
each field. This is where the record is getting split up, so we can do 
anything but simple checks.

-Steve

Re: auparse_interpret_field()

[Steve Grubb]

On Friday 09 November 2007 14:56:05 klausk@br.ibm.com wrote:
> See that 'r->machine' and 'r->syscall' are only filled when the 'arch'
> field in found in the 2nd position, and syscall in the 3rd position
> respectively. That is not true when the dispatcher is appending a 'node='
> field to each record.

This is the patch I'm testing.

-Steve


--- audit-1.6.3.orig/auparse/ellist.c	2007-10-01 13:56:21.000000000 -0400
+++ audit-1.6.3/auparse/ellist.c	2007-11-12 14:27:31.000000000 -0500
@@ -65,6 +65,7 @@
 static int parse_up_record(rnode* r)
 {
 	char *ptr, *buf, *saved;
+	int offset = 0;
 
 	buf = strdup(r->record);
 	ptr = strtok_r(buf, " ", &saved);
@@ -123,27 +124,34 @@
 				}
 			}
 			nvlist_append(&r->nv, &n);
-			if (r->nv.cnt == 1 && strcmp(n.name, "type") == 0) {
+			if (r->nv.cnt == 1 && strcmp(n.name, "node") == 0)
+				offset = 1; // if node, some positions changes
+			else if (r->nv.cnt == (1 + offset) &&
+					strcmp(n.name, "type") == 0) {
 				r->type = audit_name_to_msg_type(n.val);
-			} else if(r->nv.cnt == 2 && strcmp(n.name, "arch")== 0){
+			} else if (r->nv.cnt == (2 + offset) && 
+					strcmp(n.name, "arch")== 0){
 				unsigned int ival;
 				errno = 0;
 				ival = strtoul(n.val, NULL, 16);
 				if (errno)
-					r->machine = -1;
-				r->machine = audit_elf_to_machine(ival);
-			} else if(r->nv.cnt == 3 && strcmp(n.name,
-							"syscall") == 0){
+					r->machine = -2;
+				else
+					r->machine = audit_elf_to_machine(ival);
+			} else if (r->nv.cnt == (3 + offset) &&
+					strcmp(n.name, "syscall") == 0){
 				errno = 0;
 				r->syscall = strtoul(n.val, NULL, 10);
 				if (errno)
 					r->syscall = -1;
-			} else if(r->nv.cnt == 6 && strcmp(n.name, "a0") == 0){
+			} else if (r->nv.cnt == (6 + offset) &&
+					strcmp(n.name, "a0") == 0){
 				errno = 0;
 				r->a0 = strtoull(n.val, NULL, 16);
 				if (errno)
 					r->a0 = -1LL;
-			} else if(r->nv.cnt == 7 && strcmp(n.name, "a1") == 0){
+			} else if (r->nv.cnt == (7 + offset) &&
+					strcmp(n.name, "a1") == 0){
 				errno = 0;
 				r->a1 = strtoull(n.val, NULL, 16);
 				if (errno)
@@ -152,12 +160,12 @@
 		} else if (r->type == AUDIT_AVC || r->type == AUDIT_USER_AVC) {
 			// We special case these 2 fields because selinux
 			// avc messages do not label these fields.
-			if (nvlist_get_cnt(&r->nv) == 1) {
+			if (nvlist_get_cnt(&r->nv) == (1 + offset)) {
 				// skip over 'avc:'
 				if (strncmp(ptr, "avc", 3) == 0)
 					continue;
 				n.name = strdup("seresult");
-			} else if (nvlist_get_cnt(&r->nv) == 2) {
+			} else if (nvlist_get_cnt(&r->nv) == (2 + offset)) {
 				// skip over open brace
 				if (*ptr == '{') {
 					int total = 0, len;