We've run into a problem where the audit_warn(5) script /etc/security/audit_warn is called endlessly in a loop if it takes longer than 0.87s to execute.
echo "sleep 1" >> /etc/security/audit_warn
and restart/hup the appropriate services.
For information: This bug still exists with 12.0-RELEASE-p3 and 13-CURRENT r346594.
Complete reproduction example: (this will overwrite /etc/security/audit_warn)
at << EOF >/etc/security/audit_warn #!/bin/sh echo "audit warning: $@" | wall sleep 1 EOF
# audit -n
expected behaviour: For the script to be executed once
actual behaviour: script is repeatedly executed, seemingly forever.
Remove "sleep 1" from the above script and it's called exactly one.
Real-world case: actions performed by this script take more than 1s to do their thing, and end up being called repeatedly for the same message.
I've found the commit which introduced the bug, and created a ticket with OpenBSM upstream: https://github.com/openbsm/openbsm/issues/52
I have proposed a solution on upstream Github, so I might as well take the FreeBSD PR.
Fixed upstream in https://github.com/openbsm/openbsm/pull/45 by Alan. I don’t know if we’ve imported that version of OpenBSM into base yet.
Better Nate than Lever.
A commit references this bug:
Date: Thu Nov 28 00:46:03 UTC 2019
New revision: 355155
auditd(8): fix long-standing uninitialized memory use bug
The bogus use could lead to an infinite loop depending on how fast the
audit_warn script to execute.
By fixing read(2) interruptibility, d060887 (r335899) revealed another bug
in auditd_wait_for_events. When read is interrupted by SIGCHLD,
auditd_reap_children will always return with errno set to ECHILD. But
auditd_wait_for_events checks errno after that point, expecting it to be
unchanged since read. As a result, it calls auditd_handle_trigger with bogus
stack garbage. The result is the error message "Got unknown trigger 48." Fix
by simply ignoring errno at that point; there's only one value it could've
possibly had, thanks to the check up above.
The best part is we've had a fix for this for like 18 months and just never
merged it. Merge it now.
Reported by: Marie Helene Kvello-Aune <freebsd AT mhka.no> (2018-12)
Submitted by: asomers (2018-07)
Reviewed by: me (in OpenBSM)
Obtained from: OpenBSM
Differential Revision: https://github.com/openbsm/openbsm/pull/45