Hi Mr. Steve,
I set "space_left_action = exec /script" in /etc/audit/auditd.conf.
It is said that this parameter tells the system what action to take when
the system has detected that it is starting to get low on disk space (The
limitation of disk space size is set by space_left.) in the manual. But I
found the action "exec /script" will never be taken.
I found an error message "Audit daemon failed to exec null" in
/var/log/messages. The filename "/script" does not be gotten by auditd,
so though the disk space size is less than the value of "space_left",
/script does not be executed.
It has the same bug with admin_space_left_action, disk_full_action,
disk_error_action.
Here is my patch for audit-1.7.4. What's your opinion about such
modification?
Signed-off-by: Chu Li<chul(a)cn.fujitsu.com>
---
diff --git a/src/auditd-config.c b/src/auditd-config.c
index 8a81b46..a7a939e 100644
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -892,17 +892,13 @@ static int space_action_parser(struct nv_pair *nv, int
line,
email_command);
}
}
- config->space_left_action = failure_actions[i].option;
- return 0;
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->space_left_exe = strdup(nv->option);
- config->space_left_action = FA_EXEC;
- return 0;
}
+ config->space_left_action = failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1021,19 +1017,15 @@ static int admin_space_left_action_parser(struct
nv_pair *nv, int line,
email_command);
}
}
- config->admin_space_left_action =
- failure_actions[i].option;
- return 0;
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->admin_space_left_exe =
strdup(nv->option);
- config->admin_space_left_action = FA_EXEC;
- return 0;
}
+ config->admin_space_left_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1049,25 +1041,20 @@ static int disk_full_action_parser(struct nv_pair *nv,
int line,
nv->value);
for (i=0; failure_actions[i].name != NULL; i++) {
if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
- if (failure_actions[i].option != FA_EMAIL) {
- config->disk_full_action =
- failure_actions[i].option;
- return 0;
- } else {
+ if (failure_actions[i].option == FA_EMAIL ) {
audit_msg(LOG_ERR,
"Illegal option %s for disk_full_action - line %d",
nv->value, line);
return 1;
}
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->disk_full_exe = strdup(nv->option);
- config->disk_full_action = FA_EXEC;
- return 0;
}
+ config->disk_full_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
@@ -1083,25 +1070,20 @@ static int disk_error_action_parser(struct nv_pair
*nv, int line,
nv->value);
for (i=0; failure_actions[i].name != NULL; i++) {
if (strcasecmp(nv->value, failure_actions[i].name) == 0) {
- if (failure_actions[i].option != FA_EMAIL) {
- config->disk_error_action =
- failure_actions[i].option;
- return 0;
- } else {
- audit_msg(LOG_ERR,
- "Illegal option %s for disk_error_action - line %d",
+ if (failure_actions[i].option == FA_EMAIL ) {
+ audit_msg(LOG_ERR,
+ "Illegal option %s for disk_error_action - line %d",
nv->value, line);
return 1;
}
- } else if (i == FA_EXEC) {
- if (strncasecmp(failure_actions[i].name,
- nv->value, 4) == 0){
+ if (failure_actions[i].option == FA_EXEC) {
if (check_exe_name(nv->option))
return 1;
config->disk_error_exe = strdup(nv->option);
- config->disk_error_action = FA_EXEC;
- return 0;
}
+ config->disk_error_action =
+ failure_actions[i].option;
+ return 0;
}
}
audit_msg(LOG_ERR, "Option %s not found - line %d", nv->value, line);
Regards
Chu Li