Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix support of kernel < 3.0 #119

Merged
merged 2 commits into from
Jul 14, 2022
Merged

Fix support of kernel < 3.0 #119

merged 2 commits into from
Jul 14, 2022

Conversation

moaddib666
Copy link
Contributor

Changed min auditStatus size to 32 bite as old kernel do have only the following fields:

enabled 1
failure 1
pid 66
rate_limit 0
backlog_limit 320
lost 0
backlog 0

@cla-checker-service
Copy link

cla-checker-service bot commented Jul 9, 2022

💚 CLA has been signed

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 9, 2022

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-07-14T19:54:13.856+0000

  • Duration: 2 min 16 sec

Test stats 🧪

Test Results
Failed 0
Passed 386
Skipped 40
Total 426

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on the audit_status struct in earliest kernel version supported by Go, 2.6.23, I would say the proposed minimum is correct. The feature bitmap was add later.

@moaddib666
Copy link
Contributor Author

Based on the audit_status struct in earliest kernel version supported by Go, 2.6.23, I would say the proposed minimum is correct. The feature bitmap was add later.

It's looks strange as I face unexpected EOF at 2.6.32-954.3.5 on the CentOS 6,

I'll double check and found the following:

  • When I'd try to convert response manually it really works fine, but with libaudit.GetStatus() it fails;

Please have a look:

2022/07/12 12:14:15 Expected size is: 36
2022/07/12 12:14:15 failed to unmarshal reply: unexpected EOF
2022/07/12 12:14:15 status
2022/07/12 12:14:15 pointer number 8
2022/07/12 12:14:15 Expected size of message 36
2022/07/12 12:14:15 Recv buffer size 36
2022/07/12 12:14:15 {"Mask":36,"Enabled":2,"Failure":1,"PID":4269107896,"RateLimit":0,"BacklogLimit":16,"Lost":328680,"Backlog":1,"FeatureBitmap":4269107896,"BacklogWaitTime":0,"BacklogWaitTimeActual":0}

func main () {
        expectedSize := libaudit.MinSizeofAuditStatus
	log.Printf("Expected size is: %d", expectedSize)
	client, err := libaudit.NewMulticastAuditClient(nil)
	if err != nil {
		log.Fatalln(err)
	}
	status, err := client.GetStatus()
	if err != nil {
		log.Println(err)
	}
	log.Printf("status %+v", status)
	buf := make([]byte, syscall.NLMSG_HDRLEN+libaudit.AuditMessageMaxLength)
	netlink, _ := libaudit.NewNetlinkClient(syscall.NETLINK_AUDIT, 1, buf, nil)
	flags := uint16(syscall.NLM_F_REQUEST)
	msg := syscall.NetlinkMessage{
		Header: syscall.NlMsghdr{
			Type:  libaudit.AuditGet,
			Flags: flags | syscall.NLM_F_ACK,
		},
		Data: nil,
	}
	_, err = netlink.Send(msg)
	if err != nil {
		log.Printf("Can't send valid get status err: %v", err)
	}

	fd := GetNetlinkFd(netlink)
	n, _, _, _, err := syscall.Recvmsg(fd, buf, nil, unix.MSG_PEEK)
	log.Printf("Expected size of message %d", n)
	newBuff := make([]byte, n)
	_, _, _, _, err = syscall.Recvmsg(fd, newBuff, nil, 0)
	replyStatus := &libaudit.AuditStatus{}
	log.Printf("Recv buffer size %d", len(newBuff))
	err = replyStatus.FromWireFormat(newBuff)
	if err != nil {
		log.Printf("Worng: %v", err)
	}
	data, _ := json.Marshal(replyStatus)
	log.Printf("%s", data)
}

func GetNetlinkFd(client *libaudit.NetlinkClient) int {
	fv := reflect.ValueOf(client).Elem().FieldByName("fd")
	log.Printf("pointer number %d", fv.Int())
	return int(fv.Int())
}

Perhaps this situation happends because of MSG_DONTWAIT ?

@andrewkroh
Copy link
Member

Can you please sign the CLA (https://www.elastic.co/contributor-agreement).

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add an entry to the CHANGELOG.md file.

audit.go Show resolved Hide resolved
@moaddib666
Copy link
Contributor Author

Can you please sign the CLA (https://www.elastic.co/contributor-agreement).

Sure, I've already done it.

@andrewkroh
Copy link
Member

Yep, I see your GH username in the CLA database, but the email in your commits does not match the one in the database. See the email in https://github.com/elastic/go-libaudit/pull/119.patch.

@moaddib666
Copy link
Contributor Author

Yep, I see your GH username in the CLA database, but the email in your commits does not match the one in the database. See the email in https://github.com/elastic/go-libaudit/pull/119.patch.

Sorry my fault, looks I've use my work account instead of personal one, updated.

@andrewkroh
Copy link
Member

/test

audit.go Outdated Show resolved Hide resolved
CHANGELOG.md Show resolved Hide resolved
@andrewkroh andrewkroh merged commit 192499f into elastic:main Jul 14, 2022
renini pushed a commit to renini/go-libaudit that referenced this pull request Jun 26, 2024
Fix minimum `AuditStatus` length so that library can support kernels from 2.6.32.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants