Bug 149806

Summary: [patch] OpenBSM auditd(8) fails to expire trails if host defined
Product: Base System Reporter: Janne Snabb <snabb>
Component: binAssignee: freebsd-bugs mailing list <bugs>
Status: Open ---    
Severity: Affects Only Me CC: aniketp, asomers
Priority: Normal    
Version: 8.1-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
auditd_lib.c.diff none

Description Janne Snabb 2010-08-19 16:40:03 UTC
OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.

This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.

How-To-Repeat: Add the following:

host:192.168.1.1

...in /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).

(Re-)start auditd.

Produce enough audit records to reach the expiration limit.  

You will notice that nothing gets expired. /var/audit will grow
indefinitely.
Comment 1 Janne Snabb 2010-08-19 16:48:29 UTC
An alternative fix would be to change the filename length check to
the following:

			if (dp->d_namlen < (FILENAME_LEN - 1) ||

In that case the expiration routine would expire also trails without
"host" part after the "host" parameter has been added to audit_control,
and if the "host" parameter has been changed so that it has a
different length than previously.

Up to the maintainer to decide which matching method is better. 
I would probably go with this one instead of my original patch.

--
Janne Snabb / EPIPE Communications
snabb@epipe.com - http://epipe.com/
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:38 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped