<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Hi Steve,</div><div class=""><br class=""></div><div class="">Thank you for the quick response and pointing me to the patch. Regarding versions, I saw the problem on both audit-userspace 2.8.1 (the version I was on initially) and 2.8.5.</div><div class=""><br class=""></div><div class="">I applied the changes from the patch but unfortunately, it is still not working as expected. The problem is that the patch sets stdin to O_NONBLOCK, which means that read will return 0 if no data is available and this causes the plugin to exit due to the new EOF check in line 133. As a result, I saw a lot of "audispd: plugin audisp-example terminated unexpectedly" in syslog.</div><div class=""><br class=""></div><div class="">I adapted the patch and removed the read while loop and added an extra auparse_flush_feed after every read (see patch below) and that seems to fix the problem. In particular, I think the extra flush causes the EOE record to be pushed to the parser. I am not sure if this is the best way and if the extra flush may have any implications so if you have any feedback, that would be great.</div><div class=""><br class=""></div><div class="">Best,</div><div class="">Lukas</div><div class=""><br class=""></div><div class="">diff --git a/contrib/plugin/audisp-example.c b/contrib/plugin/audisp-example.c</div><div class="">index 3fe845a..e44bab7 100644</div><div class="">--- a/contrib/plugin/audisp-example.c</div><div class="">+++ b/contrib/plugin/audisp-example.c</div><div class="">@@ -42,6 +42,7 @@</div><div class=""> #include <string.h></div><div class=""> #include <sys/select.h></div><div class=""> #include <errno.h></div><div class="">+#include <unistd.h></div><div class=""> #include "libaudit.h"</div><div class=""> #include "auparse.h"</div><div class=""> </div><div class="">@@ -77,7 +78,7 @@ static void reload_config(void)</div><div class=""> </div><div class=""> int main(int argc, char *argv[])</div><div class=""> {</div><div class="">- char tmp[MAX_AUDIT_MESSAGE_LENGTH+1];</div><div class="">+ char tmp[MAX_AUDIT_MESSAGE_LENGTH];</div><div class=""> struct sigaction sa;</div><div class=""> </div><div class=""> /* Register sighandlers */</div><div class="">@@ -100,6 +101,7 @@ int main(int argc, char *argv[])</div><div class=""> fd_set read_mask;</div><div class=""> struct timeval tv;</div><div class=""> int retval = -1;</div><div class="">+ int read_size = 0;</div><div class=""> </div><div class=""> /* Load configuration */</div><div class=""> if (hup) {</div><div class="">@@ -121,14 +123,17 @@ int main(int argc, char *argv[])</div><div class=""> } while (retval == -1 && errno == EINTR && !hup && !stop);</div><div class=""> </div><div class=""> /* Now the event loop */</div><div class="">- if (!stop && !hup && retval > 0) {</div><div class="">- if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH,</div><div class="">- stdin)) {</div><div class="">- auparse_feed(au, tmp, strnlen(tmp,</div><div class="">- MAX_AUDIT_MESSAGE_LENGTH));</div><div class="">- }</div><div class="">- }</div><div class="">- if (feof(stdin))</div><div class="">+ if (!stop && !hup && retval > 0) {</div><div class="">+ if ((read_size = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH)) > 0) {</div><div class="">+ auparse_feed(au, tmp, strnlen(tmp, read_size));</div><div class="">+ }</div><div class="">+ }</div><div class="">+ auparse_flush_feed(au);</div><div class="">+ if (read_size == 0) {/* check eof */</div><div class="">+ syslog(LOG_INFO, "EXITING MAIN LOOP");</div><div class="">+ break;</div><div class="">+ }</div><div class="">+ if (read_size == 0)</div><div class=""> break;</div><div class=""> } while (stop == 0);</div><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 7, 2019, at 1:24 AM, Steve Grubb <<a href="mailto:sgrubb@redhat.com" class="">sgrubb@redhat.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">On Fri, 5 Apr 2019 11:35:03 -0700</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Lukas Rupprecht <</span><a href="mailto:lukas.l.rupprecht@gmail.com" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">lukas.l.rupprecht@gmail.com</a><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">> wrote:</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">Hi All,<br class=""><br class="">I'm, having problems with the example audisp plugin from<br class=""><a href="https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c" class="">https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c</a><br class="">as sometimes, events seem to be delayed.<span class="Apple-converted-space"> </span><br class=""></blockquote><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">It is always helpful to list which version of user space you have so</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">that if I know of any bug fixes, I can point you to that. That said,</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">there is a pending pull request that I am thinking to accept but</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">haven't yet that may solve your problem. It is against the example</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">code. See </span><a href="https://github.com/linux-audit/audit-userspace/pull/83/files" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;" class="">https://github.com/linux-audit/audit-userspace/pull/83/files</a><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">It has to do with mixing raw and stdio which the latter is buffered.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Let me know if that fixes your problem.</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">Best Regards,</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class="">-Steve</span><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><br style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><blockquote type="cite" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">The scenario is as follows:<br class=""><br class="">My audit rules are tracking clone, execve,setpgid, and exit_group<br class="">calls and I changed the example plugin to just dump records in<br class="">handle_event using the following code:<br class=""><br class="">static void handle_event(auparse_state_t *au, auparse_cb_event_t<br class="">cb_event_type, void *user_data) {<br class=""> int type, num = 0;<br class=""><br class=""> if (cb_event_type != AUPARSE_CB_EVENT_READY)<br class=""> return;<br class=""><br class=""> while (auparse_goto_record_num(au, num) > 0) {<br class=""> type = auparse_get_type(au);<br class=""><br class=""> // dump whole record<br class=""> printf("%s: %s\n",<br class="">audit_msg_type_to_name(auparse_get_type(au)),<br class="">auparse_get_record_text(au));<br class=""><br class=""> num++;<br class=""> }<br class="">}<br class=""><br class="">When running a simple 'cat' command, I should see events for (in that<br class="">order) clone, execve, setpgid, setpgid, exit_group. However, the<br class="">plugin is only printing the first four events but not the exit_group.<br class="">The event is printed eventually, but only, if there has been other<br class="">system activity that triggered new, unrelated events (for example,<br class="">another clone).<br class=""><br class="">I added some instrumentation and found that, when the exit_group<br class="">event arrives, fgets_unlocked (line 125) does read the SYSCALL record<br class="">for exit_group but is missing the corresponding EOE record. A<br class="">possible explanation could be that, when select unblocks,<br class="">fgets_unlocked only reads a single line from stdin while the<br class="">remaining data is buffered. Hence, when select is called the next<br class="">time, it does not detect any activity on the file descriptor and<br class="">blocks, and the buffered data is only read once select unblocks due<br class="">to a new event.<br class=""><br class="">To test this, I replaced the call to fgets_unlocked by a read call to<br class="">consume all available bytes on stdin. The new code looks as follows<br class="">(replacing lines 123-130 in audisp-example.c):<br class=""><br class="">/* Now the event loop */<br class="">if (!stop && !hup && retval > 0) {<br class=""> ssize_t bytesRead = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH);<br class=""> if (bytesRead > 0) {<br class=""> // this is just for printf<br class=""> tmp[bytesRead] = '\0';<br class=""> printf("Read %d bytes from socket: %s", bytesRead, tmp);<br class=""><br class=""> auparse_feed(au, tmp, bytesRead);<br class=""> }<br class="">}<br class=""><br class="">Using this code, I can now see the EOE record for the corresponding<br class="">exit_group SYSCALL record being read when the event arrives (I can<br class="">see it printed by the printf in the event loop). However, the problem<br class="">is that it is still not processed in handle_event until a new,<br class="">unrelated event arrives, i.e. it is not printed immediately in<br class="">handle_event. It should have been feed to the parser though as part<br class="">of the last read. Could this be a bug or am I missing something? I<br class="">tried this for versions 2.8.1 and 2.8.5.<br class=""><br class="">Thanks for any help in advance!<br class="">Lukas<br class=""><br class=""><br class="">--<br class="">Linux-audit mailing list<br class=""><a href="mailto:Linux-audit@redhat.com" class="">Linux-audit@redhat.com</a><br class=""><a href="https://www.redhat.com/mailman/listinfo/linux-audit" class="">https://www.redhat.com/mailman/listinfo/linux-audit</a></blockquote></div></blockquote></div><br class=""></body></html>