summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndy Giles <andy@tegile.com>2017-03-31 11:51:30 +0100
committerDan McDonald <danmcd@mnx.io>2022-10-06 17:34:11 -0400
commit430fb0518974971393f591123b410c866df1855a (patch)
tree1d88feb6157feb474fb28f44d28a9e93e8db6843
parentcd918266dec8ae2553f7a0efd53c52aa90d99a39 (diff)
downloadillumos-joyent-430fb0518974971393f591123b410c866df1855a.tar.gz
5913 audit_syslog is noisy when it discards messages
Reviewed by: Aditya Agnihotri <aagnihotri@tintri.com> Reviewed by: Matt Barden <mbarden@tintri.com> Reviewed by: Toomas Soome <tsoome@me.com> Reviewed by: Marco van Wieringen <mvw@planets.elm.net> Reviewed by: Gergő Mihály Doma <domag02@gmail.com> Approved by: Dan McDonald <danmcd@mnx.io>
-rw-r--r--usr/src/cmd/auditd/doorway.c27
-rw-r--r--usr/src/lib/auditd_plugins/auditd.h5
-rw-r--r--usr/src/lib/auditd_plugins/syslog/sysplugin.c16
3 files changed, 31 insertions, 17 deletions
diff --git a/usr/src/cmd/auditd/doorway.c b/usr/src/cmd/auditd/doorway.c
index c3fe37afe6..59509c2593 100644
--- a/usr/src/cmd/auditd/doorway.c
+++ b/usr/src/cmd/auditd/doorway.c
@@ -23,6 +23,10 @@
*/
/*
+ * Copyright 2022 Tintri by DDN, Inc. All rights reserved.
+ */
+
+/*
* Threads:
*
* auditd is thread 0 and does signal handling
@@ -151,12 +155,12 @@ warn_or_fatal(int fatal, char *parting_shot)
static void
report_error(int rc, char *error_text, char *plugin_path)
{
- int warn = 0;
char rcbuf[100]; /* short error name string */
char message[FATAL_MESSAGE_LEN];
int bad_count = 0;
char *name;
char empty[] = "..";
+ boolean_t warn = B_FALSE, discard = B_FALSE;
static int no_plug = 0;
static int no_load = 0;
@@ -174,17 +178,17 @@ report_error(int rc, char *error_text, char *plugin_path)
switch (rc) {
case INTERNAL_LOAD_ERROR:
- warn = 1;
+ warn = B_TRUE;
bad_count = ++no_load;
(void) strcpy(rcbuf, "load_error");
break;
case INTERNAL_SYS_ERROR:
- warn = 1;
+ warn = B_TRUE;
bad_count = ++no_thread;
(void) strcpy(rcbuf, "sys_error");
break;
case INTERNAL_CONFIG_ERROR:
- warn = 1;
+ warn = B_TRUE;
bad_count = ++no_plug;
(void) strcpy(rcbuf, "config_error");
name = strdup("--");
@@ -192,17 +196,17 @@ report_error(int rc, char *error_text, char *plugin_path)
case AUDITD_SUCCESS:
break;
case AUDITD_NO_MEMORY: /* no_memory */
- warn = 1;
+ warn = B_TRUE;
bad_count = ++no_memory;
(void) strcpy(rcbuf, "no_memory");
break;
case AUDITD_INVALID: /* invalid */
- warn = 1;
+ warn = B_TRUE;
bad_count = ++invalid;
(void) strcpy(rcbuf, "invalid");
break;
case AUDITD_RETRY:
- warn = 1;
+ warn = B_TRUE;
bad_count = ++retry;
(void) strcpy(rcbuf, "retry");
break;
@@ -210,10 +214,15 @@ report_error(int rc, char *error_text, char *plugin_path)
(void) strcpy(rcbuf, "comm_fail");
break;
case AUDITD_FATAL: /* failure */
- warn = 1;
+ warn = B_TRUE;
bad_count = ++fail;
(void) strcpy(rcbuf, "failure");
break;
+ case AUDITD_DISCARD: /* discarded - shouldn't get here */
+ /* Don't report this one; it's a non-error. */
+ discard = B_TRUE;
+ (void) strcpy(rcbuf, "discarded");
+ break;
default:
(void) strcpy(rcbuf, "error");
break;
@@ -222,7 +231,7 @@ report_error(int rc, char *error_text, char *plugin_path)
bad_count, name, rcbuf, error_text));
if (warn)
__audit_dowarn2("plugin", name, rcbuf, error_text, bad_count);
- else {
+ else if (!discard) {
(void) snprintf(message, FATAL_MESSAGE_LEN,
gettext("audit plugin %s reported error = \"%s\": %s\n"),
name, rcbuf, error_text);
diff --git a/usr/src/lib/auditd_plugins/auditd.h b/usr/src/lib/auditd_plugins/auditd.h
index 6be801b6eb..d7ca96deaa 100644
--- a/usr/src/lib/auditd_plugins/auditd.h
+++ b/usr/src/lib/auditd_plugins/auditd.h
@@ -22,6 +22,8 @@
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
+ * Copyright 2017 Tintri by DDN, Inc. All rights reserved.
+ *
* This is an unstable interface; changes may be made without
* notice.
*/
@@ -46,7 +48,8 @@ enum auditd_rc {
AUDITD_INVALID, /* bad input (WARN invalid) */
AUDITD_COMM_FAIL, /* communications failure */
AUDITD_FATAL, /* other error (WARN failure) */
- AUDITD_FAIL /* other non-fatal error */
+ AUDITD_FAIL, /* other non-fatal error */
+ AUDITD_DISCARD /* Discarded message */
};
typedef enum auditd_rc auditd_rc_t;
diff --git a/usr/src/lib/auditd_plugins/syslog/sysplugin.c b/usr/src/lib/auditd_plugins/syslog/sysplugin.c
index 948e60aa7a..2f307176d2 100644
--- a/usr/src/lib/auditd_plugins/syslog/sysplugin.c
+++ b/usr/src/lib/auditd_plugins/syslog/sysplugin.c
@@ -22,6 +22,8 @@
* Copyright 2010 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
+ * Copyright 2017 Tintri by DDN, Inc. All rights reserved.
+ *
* convert binary audit records to syslog messages and
* send them off to syslog
*
@@ -226,7 +228,7 @@ tossit(au_event_t id, int passfail)
static size_t
fromleft(char *p, size_t avail, char *attrname, size_t attrlen, char *txt,
- size_t txtlen)
+ size_t txtlen)
{
size_t len;
@@ -253,7 +255,7 @@ fromleft(char *p, size_t avail, char *attrname, size_t attrlen, char *txt,
static size_t
fromright(char *p, size_t avail, char *attrname, size_t attrlen, char *txt,
- size_t txtlen)
+ size_t txtlen)
{
size_t len;
@@ -650,7 +652,7 @@ filter(const char *input, uint64_t sequence, char *output,
ctx.out.sf_zonelen = 0;
}
- return (-1); /* tell caller it was tossed */
+ return (AUDITD_DISCARD);
}
bp = output;
remaining = out_len;
@@ -823,16 +825,16 @@ auditd_plugin(const char *input, size_t in_len, uint64_t sequence, char **error)
DPRINT((dbfp, "syslog: write_count=%llu, "
"buffer=%llu, tossed=%llu\n",
++write_count, sequence, toss_count));
- } else if (rc > 0) { /* -1 == discard it */
+ } else if (rc != AUDITD_DISCARD) {
DPRINT((dbfp, "syslog: parse failed for buffer %llu\n",
sequence));
*error = strdup(gettext(
"Unable to parse audit record"));
} else {
- DPRINT((dbfp, "syslog: rc = %d (-1 is discard), "
+ DPRINT((dbfp, "syslog: rc = %d (%d is discard), "
"sequence=%llu, toss_count=%llu\n",
- rc, sequence, ++toss_count));
- rc = 0;
+ rc, AUDITD_DISCARD, sequence, ++toss_count));
+ rc = AUDITD_SUCCESS;
}
free(outbuf);
}