libaudit-go icon indicating copy to clipboard operation
libaudit-go copied to clipboard

Published 20 hours ago verified publisher icon mozilla

has anybody run this recently?

Open airdamien opened this issue 7 years ago • 7 comments

Cannot make it work, and the tests don't pass. The auditisenabled always fails with unexpected EOF. I added some printf to see what's in there, the binary.Read should only give that unexpected eof if what it's reading is empty.

I'm on centos7 minimal, but it doesn't seem to run on almost any linux 7, I'm about to test a cantos 6.x machine.

[root@localhost libaudit-go]# go test mHeaderType 1000 m [0 0 0 0 1 0 0 0 2 0 0 0 0 0 0 0 244 1 0 0 244 1 0 0 134 0 0 0 0 0 0 0 5 0 0 0] --- FAIL: TestSetters (0.00s) libaudit_test.go:192: AuditIsEnabled failed unexpected EOF libaudit_test.go:195: AuditIsEnabled returned false FAIL exit status 1 FAIL _/media/psf/code/libaudit-go 0.005s

If I run it without the prints, same result. Just in case you're thinking I'm draining a buffer or something.

[root@localhost libaudit-go]# go test --- FAIL: TestSetters (0.00s) libaudit_test.go:192: AuditIsEnabled failed unexpected EOF libaudit_test.go:195: AuditIsEnabled returned false FAIL exit status 1 FAIL _/media/psf/code/libaudit-go 0.007s

// fmt.Println("mHeaderType",m.Header.Type) // fmt.Println("m",m.Data)

// Convert the response to auditStatus
buf := bytes.NewBuffer(m.Data)
err = binary.Read(buf, nativeEndian(), &status)
if err != nil {
	return false, err
}
if status.Enabled == 1 {
	return true, nil
}
return false, nil

}

airdamien avatar Apr 12 '17 23:04 airdamien

confirmed same behavior on centos 6.9

airdamien avatar Apr 13 '17 08:04 airdamien

hmm on investigation, m.Data is coming back with a len(m.Data) of 32. changed to this and it's now running

const ( AUDIT_STATUS_SIZE = 32 // Size of auditStatus )

type auditStatus struct { Mask uint32 /* Bit mask for valid entries / Enabled uint32 / 1 = enabled, 0 = disabled / Failure uint32 / Failure-to-log action / Pid uint32 / pid of auditd process / RateLimit uint32 / messages rate limit (per second) / BacklogLimit uint32 / waiting messages limit / Lost uint32 / messages lost / Backlog uint32 / messages waiting in queue / // Version uint32 / audit api version number / // BacklogWaitTime uint32 / message queue wait timeout */ }

airdamien avatar Apr 13 '17 09:04 airdamien

Hi,

We have tested the library on ubuntu 14-16 and and it works on these platforms (though ideally it should be supported by every linux platform that has audit capability). I was just trying the lib out on centos7 and it didn't work. I got a clue from your comment that after changing the size of auditStatus it worked, (initially it was 40 which you changed to 32). According to recent mailing list conversations: https://www.redhat.com/archives/linux-audit/2014-March/msg00039.html , audit_status structure has been modified to add two extra fields which leads to the updated size of 40. CentOS7 comes with kernel version 3.10 which I think still has the older audit_struct with fewer fields. However the platforms that we tested with, all of them have above 3.13 kernel versions , so IMO that's why the lib didn't worked for you for the first time. I think auditd deals with it somewhere in there code that's why their code works(above mailing list discussions suggests some way to deal with it, which we can try to apply in our code).

arunk-s avatar Apr 13 '17 11:04 arunk-s

const ( AUDIT_STATUS_SIZE = 32 // Size of auditStatus AUDIT_STATUS_EXT_SIZE = 40 // Size of auditStatus

)

BacklogLimit    uint32 /* waiting messages limit */
Lost            uint32 /* messages lost */
Backlog         uint32 /* messages waiting in queue */

-// Version uint32 /* audit api version number / -// BacklogWaitTime uint32 / message queue wait timeout */ }

+type auditStatusExt struct {

  • Mask uint32 /* Bit mask for valid entries */
  • Enabled uint32 /* 1 = enabled, 0 = disabled */
  • Failure uint32 /* Failure-to-log action */
  • Pid uint32 /* pid of auditd process */
  • RateLimit uint32 /* messages rate limit (per second) */
  • BacklogLimit uint32 /* waiting messages limit */
  • Lost uint32 /* messages lost */
  • Backlog uint32 /* messages waiting in queue */
  • Version uint32 /* audit api version number */
  • BacklogWaitTime uint32 /* message queue wait timeout */ +}
if len(m.Data) == 32 {
	fmt.Println("32")
	buf := bytes.NewBuffer(m.Data)
	err = binary.Read(buf, nativeEndian(), &status)
	if err != nil {
		return false, err
	}
	if status.Enabled == 1 {
		return true, nil
	} else {
		return false, nil
	}

} 
fmt.Println("40")
buf := bytes.NewBuffer(m.Data)
err = binary.Read(buf, nativeEndian(), &statusExt)

airdamien avatar Apr 13 '17 11:04 airdamien

This looks like a very crude way to deal with it ( if the size changes again, we'll be adding another if clause ), but if it works for you, go ahead.

arunk-s avatar Apr 13 '17 11:04 arunk-s

Oh it's crude

airdamien avatar Apr 13 '17 12:04 airdamien

It doesn't work on ubuntu 14 with the kernel is 3.13.0-119-generic,so I solved my problem in a more crude way.

+       if 4*8 == len(m.Data) {
+               m.Data = append(m.Data, 0, 0, 0, 0, 0, 0, 0, 0)
+       }

rexrock avatar Jul 13 '17 01:07 rexrock