* Regarding log_file_parser
@ 2016-02-26 16:22 张晨峰
2016-02-26 17:12 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: 张晨峰 @ 2016-02-26 16:22 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1079 bytes --]
|
Hi,
I have some doubt about the bold code below, at audit-2.5/src/auditd-config.c
static int log_file_parser(struct nv_pair *nv, int line,
struct daemon_conf *config)
{
char *dir = NULL, *tdir;
DIR *d;
int fd, mode;
struct stat buf;
audit_msg(LOG_DEBUG, "log_file_parser called with: %s", nv->value);
/* get dir from name. */
tdir = strdup(nv->value);
if (tdir)
dir = dirname(tdir);
if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
audit_msg(LOG_ERR,
"The directory name: %s is too short - line %d",
dir, line);
free((void *)tdir);
return 1;
}
/* verify the directory path exists */
d = opendir(dir);
if (d == NULL) {
audit_msg(LOG_ERR, "Could not open dir %s (%s)", dir,
strerror(errno));
free((void *)tdir);
return 1;
}
when parsing the field "log_file", If the dir is examined nonexistent, why don't create it ?
what are the reasons for the design?
Thanks.
--
frank
|
[-- Attachment #1.2: Type: text/html, Size: 6469 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Regarding log_file_parser
2016-02-26 16:22 Regarding log_file_parser 张晨峰
@ 2016-02-26 17:12 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2016-02-26 17:12 UTC (permalink / raw)
To: linux-audit
On Saturday, February 27, 2016 12:22:05 AM 张晨峰 wrote:
> when parsing the field "log_file", If the dir is examined nonexistent, why
> don't create it ? what are the reasons for the design?
Its assumed that the audit system is installed on a managed system. That means
that it depends on the admin or the OS distribution to provide its basic
needs. With that assumption, one would then only verify that the path exists
so that if open(2) later fails, you can correctly tell the admin why the audit
system cannot be started.
The audit system _could_ make the directory. But what if its a typo? (e.g.
/vr/log/audit) Should auditd make the whole directory hierarchy all the way to
the last directory? What permissions should the directory (or directories)
have? What should be the owner and group? If those don't exist, should the
audit system make the accounts? What if the directory chosen is not labeled
correctly for SE Linux? Should auditd have knowledge of SE Linux policy and
call semanage to fix that? What about other MAC systems?
I really just want to draw the line and say its the admin's responsibility to
correctly set it up and then only verify the essentials so that a meaningful
and actionable problem is reported. :-)
Hope this helps...
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-02-26 17:12 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-02-26 16:22 Regarding log_file_parser 张晨峰
2016-02-26 17:12 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox