Audit system does not parse 'naflags' properly

Originator:ihmccreery
Number:rdar://9822631 Date Originated:22-Jul-2011 11:05 AM
Status:Open Resolved:
Product:Mac OS X Product Version:10K540
Classification:Security Reproducible:Always
 
22-Jul-2011 11:05 AM Anne McCreery:
Summary:  The audit system does not seem to be able to parse more than 8 arguments to the 'naflags:' field in the audit_control(5) file (/etc/security/audit_control).  It produces an error message in /var/log/system.log:

auditd_set_namask() could not parse audit_control(5) file: Invalid argument

Steps to Reproduce:

1.  Make a backup of audit_control(5) (in /etc/security).

2.  Open the audit_control file and include a 'host:' field after 'flags:' to avoid bug 9817001.

3.  Edit 'naflags:' to include 9 arguments.  See audit_class in the same directory for a list of arguments.

4.  Do 'sudo audit -s' to reread the configuration files.  Check /var/log/system.log and look for an error

auditd_set_namask() could not parse audit_control(5) file: Invalid argument

5.  Take any one of the arguments to 'naflags:' out.  Save the file.

6.  Do 'sudo audit -s' to reread the configuration file again.  Again look for the same error; we found it wasn't with only 8 arguments.

Expected Results:  The audit system should read the configuration file and audit appropriately.

Actual Results:  The audit system gives an error and does not read the configuration file past where it encounters the error.

Regression:  We reproduced this error regardless of which arguments we chose, so it seems to be a number-of-arguments problem rather than any specific malformed arguments.

Notes:  We think the problem is located in /source/OpenBSM/OpenBSM-21/openbsm/libauditd/auditd_lib.c.  The constant NA_EVENT_STR_SIZE is 25, which is only enough room for 8 arguments to be passed between auditd_set_namask() and getacna(), located in openbsm/libbsm/bsm_control.c.   We were looking at source from opensource.apple.com/source, though unsure how old this content is.

This bug was found while attempting to configure the OS X audit system for performance benchmarking, as part of a survey of auditing systems on several platforms.  This research is being done by Benjamin Kuperman (advisor), Luke Lovett (student), and Isaac McCreery (student) at Oberlin College Computer Science as part of the Oberlin Summer Research Institute.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!