Project

General

Profile

Actions

Bug #5913

closed

audit_syslog is noisy when it discards messages

Added by Steven Williamson about 9 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cmd - userland programs
Start date:
2015-05-07
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:
External Bug:

Description

The audit_syslog(5) plugin does not parse all events correctly. This results in not logging the event if configured to do so and spams the log for each failed parse.

Example log message:

2015-05-07T13:33:00+00:00 standard1-dev root: [ID 702911 daemon.alert] The audit daemon has experienced the following problem with loading or executing plugins: /usr/lib/security/audit_syslog.so: load_error Unable to parse audit record This message has been displayed 2443 times.

Compiling the module with DEBUG set, the code creates a file /var/audit/dump with some extra information, a snippet of which is below:
syslog: parse failed for buffer 154073
syslog tossed (event=23) buffer 154074
syslog: parse failed for buffer 154074
syslog tossed (event=23) buffer 154075
syslog: parse failed for buffer 154075
syslog tossed (event=23) buffer 154076
syslog: parse failed for buffer 154076
syslog tossed (event=23) buffer 154077
syslog: parse failed for buffer 154077

Event 23 is "23:AUE_EXECVE:execve(2)". Not all events are affected I have seen events for cron correctly parsed and appear in syslog's log files.

Actions #1

Updated by Matt Barden over 1 year ago

  • Subject changed from audit_syslog does not correctly parse exec events and spams the log file as a result. to audit_syslog is noisy when it discards messages
  • Status changed from New to In Progress
  • Assignee set to Matt Barden
  • Priority changed from High to Normal

The bug here is that filter() returns an enum 'auditd_rc_t' that the compiler decides is unsigned. However, when filter() 'tosses' a record due to it not matching its configured preselection flags, it returns '-1' to indicate that (instead of an enum value). The caller checks for 'rc > 0' to exclude that case from generating noise in syslog. However, since the return value is unsigned, it still triggers this case, and so the error message is generated.
'load_error' means the plugin returned INTERNAL_LOAD_ERROR (http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/auditd/doorway.c?r=d6beba26#176), which is defined as -1.

The solution here is to add a new value to the enum to indicate the discard case, and have the caller check for that.

Tested by generating records with audit_syslog enabled, and verifying that it prints messages to syslog when that record belongs to a class in its preselection flags, and doesn't generate noise when it does not.

Actions #2

Updated by Electric Monk over 1 year ago

  • Gerrit CR set to 2407
Actions #3

Updated by Electric Monk over 1 year ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 430fb0518974971393f591123b410c866df1855a

commit  430fb0518974971393f591123b410c866df1855a
Author: Andy Giles <andy@tegile.com>
Date:   2022-10-06T21:34:11.000Z

    5913 audit_syslog is noisy when it discards messages
    Reviewed by: Aditya Agnihotri <aagnihotri@tintri.com>
    Reviewed by: Matt Barden <mbarden@tintri.com>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Reviewed by: Marco van Wieringen <mvw@planets.elm.net>
    Reviewed by: Gergő Mihály Doma <domag02@gmail.com>
    Approved by: Dan McDonald <danmcd@mnx.io>

Actions

Also available in: Atom PDF