diff options
author | Andy Giles <andy@tegile.com> | 2017-03-31 11:51:30 +0100 |
---|---|---|
committer | Dan McDonald <danmcd@mnx.io> | 2022-10-06 17:34:11 -0400 |
commit | 430fb0518974971393f591123b410c866df1855a (patch) | |
tree | 1d88feb6157feb474fb28f44d28a9e93e8db6843 | |
parent | cd918266dec8ae2553f7a0efd53c52aa90d99a39 (diff) | |
download | illumos-joyent-430fb0518974971393f591123b410c866df1855a.tar.gz |
5913 audit_syslog is noisy when it discards messages
Reviewed by: Aditya Agnihotri <aagnihotri@tintri.com>
Reviewed by: Matt Barden <mbarden@tintri.com>
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Marco van Wieringen <mvw@planets.elm.net>
Reviewed by: Gergő Mihály Doma <domag02@gmail.com>
Approved by: Dan McDonald <danmcd@mnx.io>
-rw-r--r-- | usr/src/cmd/auditd/doorway.c | 27 | ||||
-rw-r--r-- | usr/src/lib/auditd_plugins/auditd.h | 5 | ||||
-rw-r--r-- | usr/src/lib/auditd_plugins/syslog/sysplugin.c | 16 |
3 files changed, 31 insertions, 17 deletions
diff --git a/usr/src/cmd/auditd/doorway.c b/usr/src/cmd/auditd/doorway.c index c3fe37afe6..59509c2593 100644 --- a/usr/src/cmd/auditd/doorway.c +++ b/usr/src/cmd/auditd/doorway.c @@ -23,6 +23,10 @@ */ /* + * Copyright 2022 Tintri by DDN, Inc. All rights reserved. + */ + +/* * Threads: * * auditd is thread 0 and does signal handling @@ -151,12 +155,12 @@ warn_or_fatal(int fatal, char *parting_shot) static void report_error(int rc, char *error_text, char *plugin_path) { - int warn = 0; char rcbuf[100]; /* short error name string */ char message[FATAL_MESSAGE_LEN]; int bad_count = 0; char *name; char empty[] = ".."; + boolean_t warn = B_FALSE, discard = B_FALSE; static int no_plug = 0; static int no_load = 0; @@ -174,17 +178,17 @@ report_error(int rc, char *error_text, char *plugin_path) switch (rc) { case INTERNAL_LOAD_ERROR: - warn = 1; + warn = B_TRUE; bad_count = ++no_load; (void) strcpy(rcbuf, "load_error"); break; case INTERNAL_SYS_ERROR: - warn = 1; + warn = B_TRUE; bad_count = ++no_thread; (void) strcpy(rcbuf, "sys_error"); break; case INTERNAL_CONFIG_ERROR: - warn = 1; + warn = B_TRUE; bad_count = ++no_plug; (void) strcpy(rcbuf, "config_error"); name = strdup("--"); @@ -192,17 +196,17 @@ report_error(int rc, char *error_text, char *plugin_path) case AUDITD_SUCCESS: break; case AUDITD_NO_MEMORY: /* no_memory */ - warn = 1; + warn = B_TRUE; bad_count = ++no_memory; (void) strcpy(rcbuf, "no_memory"); break; case AUDITD_INVALID: /* invalid */ - warn = 1; + warn = B_TRUE; bad_count = ++invalid; (void) strcpy(rcbuf, "invalid"); break; case AUDITD_RETRY: - warn = 1; + warn = B_TRUE; bad_count = ++retry; (void) strcpy(rcbuf, "retry"); break; @@ -210,10 +214,15 @@ report_error(int rc, char *error_text, char *plugin_path) (void) strcpy(rcbuf, "comm_fail"); break; case AUDITD_FATAL: /* failure */ - warn = 1; + warn = B_TRUE; bad_count = ++fail; (void) strcpy(rcbuf, "failure"); break; + case AUDITD_DISCARD: /* discarded - shouldn't get here */ + /* Don't report this one; it's a non-error. */ + discard = B_TRUE; + (void) strcpy(rcbuf, "discarded"); + break; default: (void) strcpy(rcbuf, "error"); break; @@ -222,7 +231,7 @@ report_error(int rc, char *error_text, char *plugin_path) bad_count, name, rcbuf, error_text)); if (warn) __audit_dowarn2("plugin", name, rcbuf, error_text, bad_count); - else { + else if (!discard) { (void) snprintf(message, FATAL_MESSAGE_LEN, gettext("audit plugin %s reported error = \"%s\": %s\n"), name, rcbuf, error_text); diff --git a/usr/src/lib/auditd_plugins/auditd.h b/usr/src/lib/auditd_plugins/auditd.h index 6be801b6eb..d7ca96deaa 100644 --- a/usr/src/lib/auditd_plugins/auditd.h +++ b/usr/src/lib/auditd_plugins/auditd.h @@ -22,6 +22,8 @@ * Copyright 2010 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * + * Copyright 2017 Tintri by DDN, Inc. All rights reserved. + * * This is an unstable interface; changes may be made without * notice. */ @@ -46,7 +48,8 @@ enum auditd_rc { AUDITD_INVALID, /* bad input (WARN invalid) */ AUDITD_COMM_FAIL, /* communications failure */ AUDITD_FATAL, /* other error (WARN failure) */ - AUDITD_FAIL /* other non-fatal error */ + AUDITD_FAIL, /* other non-fatal error */ + AUDITD_DISCARD /* Discarded message */ }; typedef enum auditd_rc auditd_rc_t; diff --git a/usr/src/lib/auditd_plugins/syslog/sysplugin.c b/usr/src/lib/auditd_plugins/syslog/sysplugin.c index 948e60aa7a..2f307176d2 100644 --- a/usr/src/lib/auditd_plugins/syslog/sysplugin.c +++ b/usr/src/lib/auditd_plugins/syslog/sysplugin.c @@ -22,6 +22,8 @@ * Copyright 2010 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * + * Copyright 2017 Tintri by DDN, Inc. All rights reserved. + * * convert binary audit records to syslog messages and * send them off to syslog * @@ -226,7 +228,7 @@ tossit(au_event_t id, int passfail) static size_t fromleft(char *p, size_t avail, char *attrname, size_t attrlen, char *txt, - size_t txtlen) + size_t txtlen) { size_t len; @@ -253,7 +255,7 @@ fromleft(char *p, size_t avail, char *attrname, size_t attrlen, char *txt, static size_t fromright(char *p, size_t avail, char *attrname, size_t attrlen, char *txt, - size_t txtlen) + size_t txtlen) { size_t len; @@ -650,7 +652,7 @@ filter(const char *input, uint64_t sequence, char *output, ctx.out.sf_zonelen = 0; } - return (-1); /* tell caller it was tossed */ + return (AUDITD_DISCARD); } bp = output; remaining = out_len; @@ -823,16 +825,16 @@ auditd_plugin(const char *input, size_t in_len, uint64_t sequence, char **error) DPRINT((dbfp, "syslog: write_count=%llu, " "buffer=%llu, tossed=%llu\n", ++write_count, sequence, toss_count)); - } else if (rc > 0) { /* -1 == discard it */ + } else if (rc != AUDITD_DISCARD) { DPRINT((dbfp, "syslog: parse failed for buffer %llu\n", sequence)); *error = strdup(gettext( "Unable to parse audit record")); } else { - DPRINT((dbfp, "syslog: rc = %d (-1 is discard), " + DPRINT((dbfp, "syslog: rc = %d (%d is discard), " "sequence=%llu, toss_count=%llu\n", - rc, sequence, ++toss_count)); - rc = 0; + rc, AUDITD_DISCARD, sequence, ++toss_count)); + rc = AUDITD_SUCCESS; } free(outbuf); } |