[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Bad bug in remote logging


There was a bug reported to day that I think merits an email and/or discussion.

audisp-remote does
>               memset (&address, 0, sizeof(address));
>               address.sin_family = htons(AF_INET);
>               address.sin_port = htons(config.local_port);
>               address.sin_addr.s_addr = htonl(INADDR_ANY);
which shows in strace as

> bind(3, {sa_family=0x200 /* AF_??? */, sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) = 

For some reason the call still succeeds, but a correct invocation would not
call htons on AF_INET.

The reason it succeeds is because there is a matching mistake in auditd. So, what this 
means is that remote logging is not using IPv4, but something else. I committed a 
patch to fix this in trunk:


This would cause new systems and old systems to not be able to talk to one another. 
Regarding RHEL, remote logging has been tech preview, meaning that its alpha code and 
likely buggy but available so you can see where this is heading. So, I think we can 
just change it to be correct. For Fedora, there is no tech preview and everything is 
supported...but it has a short life. However, what the code was doing is clearly 
wrong. So, I am thinking to fix this all the way back to F-13 if I can. Regarding other 
distributions...not sure what the support status is or how they would like to choose 
to solve this. Anyone have any thoughts on this?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]