Bug 142334 - stream output mode broken
stream output mode broken
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-08 19:40 EST by Darrian Hale
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-19 23:25:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
code from auditd/output.c with comments (2.81 KB, text/plain)
2004-12-08 19:48 EST, Darrian Hale
no flags Details

  None (edit)
Description Darrian Hale 2004-12-08 19:40:53 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040803 Firefox/0.9.3

Description of problem:
Stream output mode doesnt work as described in the documentation.

auditd fails to write to the pipe it opens to the command specified in
the audit.conf file, which causes it to suspend execution.

I believe the cause of this bug is mis-use of the fd variable in
output.c.  Please see attched files for detailed description.

Version-Release number of selected component (if applicable):
laus-0.1-65RHEL3

How reproducible:
Always

Steps to Reproduce:
1.Modify /etc/audit/audit.conf, uncomment the sample stream output
configuration, change the command to /usr/bin/logger, add the missing
; to the end of the command line.
2.start auditd
3.
    

Actual Results:  auditd cant write to the pipe, and suspends execution.

Expected Results:  output should be written to the syslog via the
logger command.

Additional info:

#/sbin/auditd -F -ddd
... irrelavent output...
Debug: write_record: msg_type=256 len=116
Debug: Checking for disk space on /usr/bin/logger, currently XXX
blocks left
Failed to write to log file: Bad file descriptor
Debug: Closing audit log
output error; suspending execution
Comment 1 Darrian Hale 2004-12-08 19:48:24 EST
Created attachment 108163 [details]
code from auditd/output.c with comments
Comment 2 Charlie Bennett 2005-02-01 16:02:20 EST
Many thanks...  will correct.
Comment 3 Charlie Bennett 2005-02-01 16:51:34 EST
--- laus-0.1/auditd/output.c.streamfd   2005-02-01 16:40:25.000000000
-0500
+++ laus-0.1/auditd/output.c    2005-02-01 16:48:06.000000000 -0500
@@ -511,7 +511,7 @@
                if ((fp = popen(out->path, "w")) == NULL)
                        return -1;
                streamfile->pipe = fp;
-               streamfile->fd = -1;
+               streamfile->fd = fileno(fp);
                write_header = 1;
        } else {
                struct stat stb;

That oughta do it.  I'll test it and get it applied.
Comment 4 Jason Vas Dias 2005-02-24 13:05:11 EST
This bug is now fixed in laus-0.1-67RHEL3, which should be in 
RHEL-3-U5, and which meanwhile can be downloaded from:
   http://people.redhat.com/~jvdias/laus/

Comment 5 Dennis Gregorovic 2005-05-19 23:25:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-219.html
Comment 6 Michael J. Carter 2006-08-09 10:58:36 EDT
I'm still having issues with stream mode. If I run auditd and then type a
command which should generate an audit entry (such as 'cat /etc/shadow' as an
non-priv user), auditd and the command both hang. The command will complete only
after a ^C.

Here's some strace output:

write(1, "No auditing for syscall #302 (ne"..., 46No auditing for syscall #302
(network-config)
) = 46
ioctl(4, 0x800c406a, 0xbfff8d20)        = 0
write(1, "No auditing for syscall #304 (us"..., 44No auditing for syscall #304
(user-message)
) = 44
ioctl(4, 0x800c406a, 0xbfff8d20)        = 0
ioctl(4, 0x4066, 0xbfff8d20)            = 0
ioctl(4, 0x406b, 0xbfff8d20)            = 0
getpid()                                = 4721
time(NULL)                              = 1155135781
write(2, "Debug: ", 7Debug: )                  = 7
write(2, "write_record: msg_type=256 len=1"..., 34write_record: msg_type=256
len=100) = 34
write(2, "\n", 1
)                       = 1
time([1155135781])                      = 1155135781
send(3, "<15>Aug  9 09:03:01 auditd: writ"..., 62, MSG_NOSIGNAL) = 62
rt_sigprocmask(SIG_SETMASK, ~[RTMIN], [], 8) = 0
time([1155135781])                      = 1155135781
statfs("/usr/bin/logger", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096,
f_blocks=2063568, f_bfree=674321, f_bavail=569497, f_files=1048576,
f_ffree=844013, f_fsid={0, 0}, f_namelen=255, f_frsize=0}) = 0
stat64("/usr/bin/logger", {st_mode=S_IFREG|0755, st_size=8032, ...}) = 0
time(NULL)                              = 1155135781
rt_sigprocmask(SIG_SETMASK, ~[RTMIN], ~[KILL STOP RTMIN], 8) = 0
writev(5, [{"%\371\331Dd\0\0\0", 8},
{"\0\0\0\0\0\1\0\0q\22\0\0d\0\0\0%\371\331D\0\0\0\0\0\0\0"..., 100}], 2) = 108
rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN], NULL, 8) = 0
write(2, "Debug: ", 7Debug: )                  = 7
write(2, "calling fsync(), written = 1", 28calling fsync(), written = 1) = 28
write(2, "\n", 1
)                       = 1
time([1155135781])                      = 1155135781
send(3, "<15>Aug  9 09:03:01 auditd: call"..., 56, MSG_NOSIGNAL) = 56
fsync(5)                                = -1 EINVAL (Invalid argument)
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
sched_get_priority_max(SCHED_RR)        = 99
sched_setscheduler(0, SCHED_RR, { 99 }) = 0
read(4,

Note You need to log in before you can comment on or make changes to this bug.