Bug 232847

Summary:	app-admin/syslog-ng hardened match filter rules broken by CONFIG_PRINTK_TIME
Product:	Gentoo Linux	Reporter:	cilly <cilly>
Component:	New packages	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gengor, H4xX0Rz1sT
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo.hardened?hideattic=0&view=markup
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	diff -burN Proposed patch to resolve the issue.

Description cilly 2008-07-24 16:30:42 UTC

corrected filters:

# grsec & pax
filter f_avc { match("^\\[.*\] .*avc: .*"); };
filter f_audit { match("^\\[.*\] audit.*") and not match(".*avc: .*"); };
filter f_pax { match("^\\[.*\] PAX:.*"); };
filter f_grsec { match("^\\[.*\] grsec:.*"); };

Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester

2008-07-24 18:00:32 UTC

Hi,
I do not think it is unreasonable to ask for a diff'd output of what you are suggesting. And providing reason for the change, besides 'broken'

Thanks,
Jeremy

Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester

2008-07-24 18:01:09 UTC

*** Bug 232848 has been marked as a duplicate of this bug. ***

Comment 3 cilly 2008-07-24 18:09:41 UTC

Created attachment 161297 [details, diff]
diff -burN

Comment 4 cilly 2008-07-24 18:14:13 UTC

The reason, the original filter won't match, since with latest stable hardened kernel a timestamp in brackets is put at the beginning of each log line:

[285563.904507] grsec: .....

I am not 100% sure but this was probably introduced with kernel tree 2.6.24.x.

Comment 5 Gordon Malm (RETIRED) gentoo-dev

2008-07-24 23:52:16 UTC

There was no behavioral change in the kernel or grsecurity.  Looks like you enabled CONFIG_PRINTK_TIME in your kernel config.  Would be good if the shipped hardened syslog-ng.conf took this kernel config option into account though.

Comment 6 Anthony Basile gentoo-dev

2009-05-26 21:56:30 UTC

Created attachment 192544 [details, diff]
Proposed patch to resolve the issue.

This patch should resolve the issue.  It has been tested on i686 pax/grsec system and a selinux system.  There is no reason to suspect it won't work on amd64.

Comment 7 Oliver Sucker 2009-11-02 20:03:05 UTC

It seems to me like there is a little mistake, though it might still work.

The opening square bracket has a double escaping backslash, whereas the closing square bracket has only a single one.

Also, the statements from Anthony Basile's patch can be written in a single regular expression, with a conditional prefix, to match messages for old-style kernels and new-style kernels at once:

# <H4xX0Rz1sT@eyeq.de> newer kernels have kernel time prefix with CONFIG_PRINTK_TIME set, see #232847
filter f_avc { match(".*avc: .*"); };
filter f_audit { match("^(\\[.*\\] )?audit.*") and not message(".*avc: .*"); };
filter f_pax { match("^(\\[.*\\] )?PAX:.*"); };
filter f_test { match("^(\\[.*\\] )?grsec:.*"); };

I have tested with 'logger -t kernel "[285563.904507] grsec: ....."' and 'logger -t kernel "grsec: ....."' resulting in these log entries:
Nov  2 20:44:23 saturn kernel: [285563.904507] grsec: .....
Nov  2 20:44:25 saturn kernel: grsec: .....

Please also note bug #291259: "match()" has to be replaced by "message()" with syslog-ng 3.x.

HTH,
Oliver

Comment 8 Magnus Granberg gentoo-dev

2010-04-05 22:35:15 UTC

Fixed in syslog-ng 3.0.5-r1