Bug 149806 - [patch] OpenBSM auditd(8) fails to expire trails if host defined
Summary: [patch] OpenBSM auditd(8) fails to expire trails if host defined
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 8.1-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-19 16:40 UTC by Janne Snabb
Modified: 2018-06-11 16:04 UTC (History)
2 users (show)

See Also:


Attachments
auditd_lib.c.diff (530 bytes, patch)
2010-08-19 16:40 UTC, Janne Snabb
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Janne Snabb 2010-08-19 16:40:03 UTC
OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.

This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.

How-To-Repeat: Add the following:

host:192.168.1.1

...in /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).

(Re-)start auditd.

Produce enough audit records to reach the expiration limit.  

You will notice that nothing gets expired. /var/audit will grow
indefinitely.
Comment 1 Janne Snabb 2010-08-19 16:48:29 UTC
An alternative fix would be to change the filename length check to
the following:

			if (dp->d_namlen < (FILENAME_LEN - 1) ||

In that case the expiration routine would expire also trails without
"host" part after the "host" parameter has been added to audit_control,
and if the "host" parameter has been changed so that it has a
different length than previously.

Up to the maintainer to decide which matching method is better. 
I would probably go with this one instead of my original patch.

--
Janne Snabb / EPIPE Communications
snabb@epipe.com - http://epipe.com/
Comment 2 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:38 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped