From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Events Delayed in Example audisp Plugin Date: Sun, 7 Apr 2019 10:24:49 +0200 Message-ID: <20190407102449.6ee98f32@ivy-bridge> References: <701671D3-DD66-4462-89E1-0849CB1BBFCF@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <701671D3-DD66-4462-89E1-0849CB1BBFCF@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Lukas Rupprecht Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 5 Apr 2019 11:35:03 -0700 Lukas Rupprecht wrote: > Hi All, > > I'm, having problems with the example audisp plugin from > https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/audisp-example.c > as sometimes, events seem to be delayed. It is always helpful to list which version of user space you have so that if I know of any bug fixes, I can point you to that. That said, there is a pending pull request that I am thinking to accept but haven't yet that may solve your problem. It is against the example code. See https://github.com/linux-audit/audit-userspace/pull/83/files It has to do with mixing raw and stdio which the latter is buffered. Let me know if that fixes your problem. Best Regards, -Steve >The scenario is as follows: > > My audit rules are tracking clone, execve,setpgid, and exit_group > calls and I changed the example plugin to just dump records in > handle_event using the following code: > > static void handle_event(auparse_state_t *au, auparse_cb_event_t > cb_event_type, void *user_data) { > int type, num = 0; > > if (cb_event_type != AUPARSE_CB_EVENT_READY) > return; > > while (auparse_goto_record_num(au, num) > 0) { > type = auparse_get_type(au); > > // dump whole record > printf("%s: %s\n", > audit_msg_type_to_name(auparse_get_type(au)), > auparse_get_record_text(au)); > > num++; > } > } > > When running a simple 'cat' command, I should see events for (in that > order) clone, execve, setpgid, setpgid, exit_group. However, the > plugin is only printing the first four events but not the exit_group. > The event is printed eventually, but only, if there has been other > system activity that triggered new, unrelated events (for example, > another clone). > > I added some instrumentation and found that, when the exit_group > event arrives, fgets_unlocked (line 125) does read the SYSCALL record > for exit_group but is missing the corresponding EOE record. A > possible explanation could be that, when select unblocks, > fgets_unlocked only reads a single line from stdin while the > remaining data is buffered. Hence, when select is called the next > time, it does not detect any activity on the file descriptor and > blocks, and the buffered data is only read once select unblocks due > to a new event. > > To test this, I replaced the call to fgets_unlocked by a read call to > consume all available bytes on stdin. The new code looks as follows > (replacing lines 123-130 in audisp-example.c): > > /* Now the event loop */ > if (!stop && !hup && retval > 0) { > ssize_t bytesRead = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH); > if (bytesRead > 0) { > // this is just for printf > tmp[bytesRead] = '\0'; > printf("Read %d bytes from socket: %s", bytesRead, tmp); > > auparse_feed(au, tmp, bytesRead); > } > } > > Using this code, I can now see the EOE record for the corresponding > exit_group SYSCALL record being read when the event arrives (I can > see it printed by the printf in the event loop). However, the problem > is that it is still not processed in handle_event until a new, > unrelated event arrives, i.e. it is not printed immediately in > handle_event. It should have been feed to the parser though as part > of the last read. Could this be a bug or am I missing something? I > tried this for versions 2.8.1 and 2.8.5. > > Thanks for any help in advance! > Lukas > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit