Events Delayed in Example audisp Plugin
Steve Grubb
sgrubb at redhat.com
Sun Apr 7 08:24:49 UTC 2019
On Fri, 5 Apr 2019 11:35:03 -0700
Lukas Rupprecht <lukas.l.rupprecht at gmail.com> wrote:
> Hi All,
>
> I'm, having problems with the example audisp plugin from
> https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c
> as sometimes, events seem to be delayed.
It is always helpful to list which version of user space you have so
that if I know of any bug fixes, I can point you to that. That said,
there is a pending pull request that I am thinking to accept but
haven't yet that may solve your problem. It is against the example
code. See https://github.com/linux-audit/audit-userspace/pull/83/files
It has to do with mixing raw and stdio which the latter is buffered.
Let me know if that fixes your problem.
Best Regards,
-Steve
>The scenario is as follows:
>
> My audit rules are tracking clone, execve,setpgid, and exit_group
> calls and I changed the example plugin to just dump records in
> handle_event using the following code:
>
> static void handle_event(auparse_state_t *au, auparse_cb_event_t
> cb_event_type, void *user_data) {
> int type, num = 0;
>
> if (cb_event_type != AUPARSE_CB_EVENT_READY)
> return;
>
> while (auparse_goto_record_num(au, num) > 0) {
> type = auparse_get_type(au);
>
> // dump whole record
> printf("%s: %s\n",
> audit_msg_type_to_name(auparse_get_type(au)),
> auparse_get_record_text(au));
>
> num++;
> }
> }
>
> When running a simple 'cat' command, I should see events for (in that
> order) clone, execve, setpgid, setpgid, exit_group. However, the
> plugin is only printing the first four events but not the exit_group.
> The event is printed eventually, but only, if there has been other
> system activity that triggered new, unrelated events (for example,
> another clone).
>
> I added some instrumentation and found that, when the exit_group
> event arrives, fgets_unlocked (line 125) does read the SYSCALL record
> for exit_group but is missing the corresponding EOE record. A
> possible explanation could be that, when select unblocks,
> fgets_unlocked only reads a single line from stdin while the
> remaining data is buffered. Hence, when select is called the next
> time, it does not detect any activity on the file descriptor and
> blocks, and the buffered data is only read once select unblocks due
> to a new event.
>
> To test this, I replaced the call to fgets_unlocked by a read call to
> consume all available bytes on stdin. The new code looks as follows
> (replacing lines 123-130 in audisp-example.c):
>
> /* Now the event loop */
> if (!stop && !hup && retval > 0) {
> ssize_t bytesRead = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH);
> if (bytesRead > 0) {
> // this is just for printf
> tmp[bytesRead] = '\0';
> printf("Read %d bytes from socket: %s", bytesRead, tmp);
>
> auparse_feed(au, tmp, bytesRead);
> }
> }
>
> Using this code, I can now see the EOE record for the corresponding
> exit_group SYSCALL record being read when the event arrives (I can
> see it printed by the printf in the event loop). However, the problem
> is that it is still not processed in handle_event until a new,
> unrelated event arrives, i.e. it is not printed immediately in
> handle_event. It should have been feed to the parser though as part
> of the last read. Could this be a bug or am I missing something? I
> tried this for versions 2.8.1 and 2.8.5.
>
> Thanks for any help in advance!
> Lukas
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list