On Wed, 2006-09-20 at 22:43 +0200, Tomas Mraz wrote:
> On Wed, 2006-09-20 at 13:42 -0500, Loulwa Salem wrote:
> > Linda Knippers wrote:
> > > Steve Grubb wrote:
> > ....
> > >>
> > >>>type=USER_LOGIN msg=audit(1158674606.789:1503): user pid=10052 uid=0
> > >>>auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='uid=0:
> > >>>exe="/usr/sbin/sshd" (hostname=16.116.117.213, addr=2.0.0.0,
> > >>>terminal=/dev/pts/3 res=success)'
> > >>>
> > >>>type=USER_LOGIN msg=audit(1158668540.641:1460): user pid=9595 uid=0
> > >>>auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255
> > >>>msg='acct=root: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=sshd
> > >>>res=failed)'
> > >>>
> > >>>Do you know why we often get an addr of 2.0.0.0?
> The code in audit library calls getaddrinfo() on the hostname, which is
> numeric. The getaddrinfo returns 2.0.0.0 address, I don't know why.
Actually not true :-)
It is a bug in the way inet_ntop is called. Here is a patch.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
--- audit-1.2.7/lib/audit_logging.c.gai 2006-09-17 16:11:02.000000000 +0200
+++ audit-1.2.7/lib/audit_logging.c 2006-09-20 23:10:05.000000000 +0200
@@ -66,7 +66,10 @@
return;
}
// What to do if more than 1 addr?
- inet_ntop(ai->ai_family, ai->ai_addr, buf, INET6_ADDRSTRLEN);
+ inet_ntop(ai->ai_family, ai->ai_family == AF_INET ?
+ (void *) &((struct sockaddr_in *)ai->ai_addr)->sin_addr :
+ (void *) &((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr,
+ buf, INET6_ADDRSTRLEN);
freeaddrinfo(ai);
}
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
