Bad bug in remote logging
Steve Grubb
sgrubb at redhat.com
Mon Apr 11 23:00:47 UTC 2011
Hello,
There was a bug reported to day that I think merits an email and/or discussion.
https://bugzilla.redhat.com/show_bug.cgi?id=695419
=================================
audisp-remote does
> memset (&address, 0, sizeof(address));
> address.sin_family = htons(AF_INET);
> address.sin_port = htons(config.local_port);
> address.sin_addr.s_addr = htonl(INADDR_ANY);
which shows in strace as
> bind(3, {sa_family=0x200 /* AF_??? */, sa_data="\0<\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) =
0
For some reason the call still succeeds, but a correct invocation would not
call htons on AF_INET.
================================
The reason it succeeds is because there is a matching mistake in auditd. So, what this
means is that remote logging is not using IPv4, but something else. I committed a
patch to fix this in trunk:
https://fedorahosted.org/audit/changeset/505
This would cause new systems and old systems to not be able to talk to one another.
Regarding RHEL, remote logging has been tech preview, meaning that its alpha code and
likely buggy but available so you can see where this is heading. So, I think we can
just change it to be correct. For Fedora, there is no tech preview and everything is
supported...but it has a short life. However, what the code was doing is clearly
wrong. So, I am thinking to fix this all the way back to F-13 if I can. Regarding other
distributions...not sure what the support status is or how they would like to choose
to solve this. Anyone have any thoughts on this?
-Steve
More information about the Linux-audit
mailing list