From mboxrd@z Thu Jan 1 00:00:00 1970 From: Guillaume Destuynder Subject: Re: auparse, stdin, and AUPARSE_CB_EVENT_READY Date: Wed, 07 Mar 2012 08:50:26 -0800 Message-ID: <4F5791D2.8080201@mozilla.com> References: <4F555904.8000603@tzib.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q27GomOE017608 for ; Wed, 7 Mar 2012 11:50:48 -0500 Received: from dm-mail03.mozilla.org (dm-mail03.mozilla.org [63.245.208.213]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q27GokS2010246 for ; Wed, 7 Mar 2012 11:50:47 -0500 Received: from [192.168.1.51] (c-76-103-215-67.hsd1.ca.comcast.net [76.103.215.67]) (Authenticated sender: gdestuynder@mozilla.com) by dm-mail03.mozilla.org (Postfix) with ESMTP id 8D7ED4AED56 for ; Wed, 7 Mar 2012 08:50:46 -0800 (PST) In-Reply-To: <4F555904.8000603@tzib.net> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Below patch "fixes" it. The problem is that if you have a node name included in the message, and that it's a long hostname, it's just not copying a long enough string, and it will fail to parse the message serial. When the serial is incorrect, auparse will fail to group them and notify with AUPARSE_CB_EVENT_READY as a consequence. Now, I write this "fixes" it because if you have a really, really long hostname, it will fail in the same manner. --- audit-2.1.3/auparse/auparse.c 2011-08-15 10:31:02.000000000 -0700 +++ audit-2.1.3-cef/auparse/auparse.c 2012-03-06 15:13:13.000000000 -0800 @@ -680,7 +680,7 @@ int rc = 1; e->host = NULL; - tmp = strndupa(b, 80); + tmp = strndupa(b, 100); ptr = strtok(tmp, " "); if (ptr) { // Optionally grab the node - may or may not be included A probably better fix is then: - tmp = strndupa(b, 80); + tmp = strndupa(b, MAX_AUDIT_MESSAGE_LENGTH); Or: - tmp = strndupa(b, 80); + tmp = strndup(b); //potentially dangerous? Or just do away with strtok and avoid duping strings. Guillaume On 03/05/2012 04:23 PM, dump@tzib.net wrote: > Hi, > > I made a audispd plugin, which reads from stdin and sends the strings to > auparse_feed() (auditd-2.1.3). > > > This works fine on the command line. > > When called from audispd however, it gives AUPARSE_CB_EVENT_READY for > each single message, instead of after a complete event has been parsed. > > So when you have 4 messages for one event: > - each of them appear as a single event when the plugin is started via > audispd. > - a single even for all 4 messages appear when the plugin is started on > the command line (and the log data fed via stdin, like cat test | > audispd-testplugin) > > Looking at the write code it looks ok (audisp/audispd.c): > > static int write_to_plugin(event_t *e, const char *string, size_t > string_len, > .. (note that i'm using string type so its the string code part) > if (conf->p->format == F_STRING) { > do { > rc = write(conf->p->plug_pipe[1], string, string_len); > } while (rc < 0 && errno == EINTR); > } > > Do you know what causes this behavior, and/or how to "fix" it? > > > Thanks > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit