From snabb@tiktik.epipe.com  Thu Aug 19 15:35:10 2010
Return-Path: <snabb@tiktik.epipe.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AFA311065670
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 19 Aug 2010 15:35:10 +0000 (UTC)
	(envelope-from snabb@tiktik.epipe.com)
Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 49E868FC18
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 19 Aug 2010 15:35:10 +0000 (UTC)
Received: from tiktik.epipe.com (localhost [127.0.0.1])
	by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id o7JFZ6h9011136
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 19 Aug 2010 15:35:09 GMT
	(envelope-from snabb@tiktik.epipe.com)
Received: (from snabb@localhost)
	by tiktik.epipe.com (8.14.4/8.14.4/Submit) id o7JFZ63L010843;
	Thu, 19 Aug 2010 15:35:06 GMT
	(envelope-from snabb)
Message-Id: <201008191535.o7JFZ63L010843@tiktik.epipe.com>
Date: Thu, 19 Aug 2010 15:35:06 GMT
From: Janne Snabb <snabb@epipe.com>
Reply-To: Janne Snabb <snabb@epipe.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] OpenBSM auditd(8) fails to expire trails if host defined
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         149806
>Category:       bin
>Synopsis:       [patch] OpenBSM auditd(8) fails to expire trails if host defined
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 19 15:40:03 UTC 2010
>Closed-Date:    
>Last-Modified:  Thu Aug 19 15:50:03 UTC 2010
>Originator:     Janne Snabb <snabb@epipe.com>
>Release:        FreeBSD 8.1-RELEASE i386
>Organization:
EPIPE Communications
>Environment:
At least 8.0-RELEASE, 8.1-RELEASE and -CURRENT on any architecture.

>Description:
OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.

This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.

>How-To-Repeat:
Add the following:

host:192.168.1.1

...in /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).

(Re-)start auditd.

Produce enough audit records to reach the expiration limit.  

You will notice that nothing gets expired. /var/audit will grow
indefinitely.

>Fix:

--- auditd_lib.c.diff begins here ---
--- contrib/openbsm/libauditd/auditd_lib.c.dist	2009-07-17 14:02:20.000000000 +0000
+++ contrib/openbsm/libauditd/auditd_lib.c	2010-08-19 14:58:52.000000000 +0000
@@ -427,11 +427,12 @@
 			struct audit_trail *new;
 
 			/*
 			 * Quickly filter non-trail files.
 			 */
-			if (dp->d_namlen != (FILENAME_LEN - 1) ||
+			if (dp->d_namlen != (FILENAME_LEN - 1 +
+			    (auditd_hostlen == -1 ? 0 : auditd_hostlen + 1)) ||
 #ifdef DT_REG
 			    dp->d_type != DT_REG || 
 #endif
 			    dp->d_name[POSTFIX_LEN] != '.')
 				continue;
--- auditd_lib.c.diff ends here ---


>Release-Note:
>Audit-Trail:

From: Janne Snabb <snabb@epipe.com>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/149806: [patch] OpenBSM auditd(8) fails to expire trails if
 host defined
Date: Thu, 19 Aug 2010 15:48:29 +0000 (UTC)

 An alternative fix would be to change the filename length check to
 the following:
 
 			if (dp->d_namlen < (FILENAME_LEN - 1) ||
 
 In that case the expiration routine would expire also trails without
 "host" part after the "host" parameter has been added to audit_control,
 and if the "host" parameter has been changed so that it has a
 different length than previously.
 
 Up to the maintainer to decide which matching method is better. 
 I would probably go with this one instead of my original patch.
 
 --
 Janne Snabb / EPIPE Communications
 snabb@epipe.com - http://epipe.com/
>Unformatted:
