Bug #5913: audit_syslog does not correctly parse exec events and spams the log file as a result. - illumos gate - illumos

Bug #5913

audit_syslog does not correctly parse exec events and spams the log file as a result.

Added by Steven Williamson almost 5 years ago.

Status:

New

Priority:

High

Assignee:

Category:

cmd - userland programs

Start date:

2015-05-07

Due date:

% Done:

Estimated time:

Difficulty:

Medium

Tags:

needs-triage

Description

The audit_syslog(5) plugin does not parse all events correctly. This results in not logging the event if configured to do so and spams the log for each failed parse.

Example log message:

2015-05-07T13:33:00+00:00 standard1-dev root: [ID 702911 daemon.alert] The audit daemon has experienced the following problem with loading or executing plugins: /usr/lib/security/audit_syslog.so: load_error Unable to parse audit record This message has been displayed 2443 times.

Compiling the module with DEBUG set, the code creates a file /var/audit/dump with some extra information, a snippet of which is below:
syslog: parse failed for buffer 154073
syslog tossed (event=23) buffer 154074
syslog: parse failed for buffer 154074
syslog tossed (event=23) buffer 154075
syslog: parse failed for buffer 154075
syslog tossed (event=23) buffer 154076
syslog: parse failed for buffer 154076
syslog tossed (event=23) buffer 154077
syslog: parse failed for buffer 154077

Event 23 is "23:AUE_EXECVE:execve(2)". Not all events are affected I have seen events for cron correctly parsed and appear in syslog's log files.

Also available in: Atom PDF

Project

General

Profile

illumos gate

Issues

Custom queries

Bug #5913

audit_syslog does not correctly parse exec events and spams the log file as a result.