>Number: 149806
>Category: bin
>Synopsis: [patch] OpenBSM auditd(8) fails to expire trails if host
>defined
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Aug 19 15:40:03 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Janne Snabb <[email protected]>
>Release: FreeBSD 8.1-RELEASE i386
>Organization:
EPIPE Communications
>Environment:
At least 8.0-RELEASE, 8.1-RELEASE and -CURRENT on any architecture.
>Description:
OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.
This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.
>How-To-Repeat:
Add the following:
host:192.168.1.1
...in /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).
(Re-)start auditd.
Produce enough audit records to reach the expiration limit.
You will notice that nothing gets expired. /var/audit will grow
indefinitely.
>Fix:
--- auditd_lib.c.diff begins here ---
--- contrib/openbsm/libauditd/auditd_lib.c.dist 2009-07-17 14:02:20.000000000
+0000
+++ contrib/openbsm/libauditd/auditd_lib.c 2010-08-19 14:58:52.000000000
+0000
@@ -427,11 +427,12 @@
struct audit_trail *new;
/*
* Quickly filter non-trail files.
*/
- if (dp->d_namlen != (FILENAME_LEN - 1) ||
+ if (dp->d_namlen != (FILENAME_LEN - 1 +
+ (auditd_hostlen == -1 ? 0 : auditd_hostlen + 1)) ||
#ifdef DT_REG
dp->d_type != DT_REG ||
#endif
dp->d_name[POSTFIX_LEN] != '.')
continue;
--- auditd_lib.c.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "[email protected]"
