Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 232847 - app-admin/syslog-ng hardened match filter rules broken by CONFIG_PRINTK_TIME
Summary: app-admin/syslog-ng hardened match filter rules broken by CONFIG_PRINTK_TIME
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL: http://sources.gentoo.org/viewcvs.py/...
Whiteboard:
Keywords:
: 232848 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-07-24 16:30 UTC by cilly
Modified: 2010-04-05 22:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
diff -burN (syslog-ng.conf.gentoo.hardened.patch,1.25 KB, patch)
2008-07-24 18:09 UTC, cilly 		Details | Diff
Proposed patch to resolve the issue. (syslog-ng.conf.patch,765 bytes, patch)
2009-05-26 21:56 UTC, Anthony Basile 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description cilly 2008-07-24 16:30:42 UTC 
corrected filters:

# grsec & pax
filter f_avc { match("^\\[.*\] .*avc: .*"); };
filter f_audit { match("^\\[.*\] audit.*") and not match(".*avc: .*"); };
filter f_pax { match("^\\[.*\] PAX:.*"); };
filter f_grsec { match("^\\[.*\] grsec:.*"); };
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2008-07-24 18:00:32 UTC 
Hi,
I do not think it is unreasonable to ask for a diff'd output of what you are suggesting. And providing reason for the change, besides 'broken'

Thanks,
Jeremy
Comment 2 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2008-07-24 18:01:09 UTC 
*** Bug 232848 has been marked as a duplicate of this bug. ***
Comment 3 cilly 2008-07-24 18:09:41 UTC 
Created attachment 161297 [details, diff]
diff -burN
Comment 4 cilly 2008-07-24 18:14:13 UTC 
The reason, the original filter won't match, since with latest stable hardened kernel a timestamp in brackets is put at the beginning of each log line:

[285563.904507] grsec: .....

I am not 100% sure but this was probably introduced with kernel tree 2.6.24.x.
Comment 5 Gordon Malm (RETIRED) gentoo-dev 2008-07-24 23:52:16 UTC 
There was no behavioral change in the kernel or grsecurity.  Looks like you enabled CONFIG_PRINTK_TIME in your kernel config.  Would be good if the shipped hardened syslog-ng.conf took this kernel config option into account though.
Comment 6 Anthony Basile gentoo-dev 2009-05-26 21:56:30 UTC 
Created attachment 192544 [details, diff]
Proposed patch to resolve the issue.

This patch should resolve the issue.  It has been tested on i686 pax/grsec system and a selinux system.  There is no reason to suspect it won't work on amd64.
Comment 7 Oliver Sucker 2009-11-02 20:03:05 UTC 
It seems to me like there is a little mistake, though it might still work.

The opening square bracket has a double escaping backslash, whereas the closing square bracket has only a single one.

Also, the statements from Anthony Basile's patch can be written in a single regular expression, with a conditional prefix, to match messages for old-style kernels and new-style kernels at once:

# <H4xX0Rz1sT@eyeq.de> newer kernels have kernel time prefix with CONFIG_PRINTK_TIME set, see #232847
filter f_avc { match(".*avc: .*"); };
filter f_audit { match("^(\\[.*\\] )?audit.*") and not message(".*avc: .*"); };
filter f_pax { match("^(\\[.*\\] )?PAX:.*"); };
filter f_test { match("^(\\[.*\\] )?grsec:.*"); };

I have tested with 'logger -t kernel "[285563.904507] grsec: ....."' and 'logger -t kernel "grsec: ....."' resulting in these log entries:
Nov  2 20:44:23 saturn kernel: [285563.904507] grsec: .....
Nov  2 20:44:25 saturn kernel: grsec: .....

Please also note bug #291259: "match()" has to be replaced by "message()" with syslog-ng 3.x.

HTH,
Oliver
Comment 8 Magnus Granberg gentoo-dev 2010-04-05 22:35:15 UTC 
Fixed in syslog-ng 3.0.5-r1