Package: syslog-ng-core
X-Debbugs-Cc: baptiste.ca...@synacktiv.com
Version: 3.38.1-5
Severity: minor
Dear Maintainer,
* What led up to the situation?
Having the line `destination d_console_all { getvirtconsole(); };` in my
/etc/syslog-ng/syslog-ng.conf configuration file.
If I understand it correctly, this config calls, somehow,
/usr/share/syslog-ng/include/scl/getvirtconsole/plugin.conf which contains
'exec("`scl-root`/getvirtconsole/tty10.sh")' and therefore executes the
/usr/share/syslog-ng/include/scl/getvirtconsole/tty10.sh script.
* What exactly did you do (or not do) that was effective (or ineffective)?
I installed the syslog-ng-core package on a server with an auditd rule that
catches unusual execve errors, this rule triggered on the execution of
/usr/share/syslog-ng/include/scl/getvirtconsole/tty10.sh as shown in the
logs below:
```
type=PROCTITLE msg=audit(05/15/2024 00:00:15.740:644853) : proctitle=sh -c
/usr/share/syslog-ng/include/scl/getvirtconsole/tty10.sh
type=PATH msg=audit(05/15/2024 00:00:15.740:644853) : item=1
name=/usr/share/syslog-ng/include/scl/getvirtconsole/tty10.sh
inode=53505901 dev=fe:02 mode=file,755 ouid=root ogid=root rdev=00:00
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(05/15/2024 00:00:15.740:644853) : item=0
name=/usr/share/syslog-ng/include/scl/getvirtconsole/tty10.sh inode=XXX
dev=fe:02 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(05/15/2024 00:00:15.740:644853) : cwd=/
type=SYSCALL msg=audit(05/15/2024 00:00:15.740:644853) : arch=x86_64
syscall=execve success=no exit=ENOEXEC(Exec format error) a0=XXX a1=XXX
a2=XXX a3=XXX items=2 ppid=XXX pid=XXX auid=unset uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=sh exe=/usr/bin/dash subj=unconfined
key=hids_execve_anormal_error
```
* What was the outcome of this action?
The execution returns a ENOEXEC code
* What outcome did you expect instead?
The execution should not fail
* Fix
Simply patch the shebang as shown below:
```
# diff tty10.orig.sh tty10.sh
1c1
< #/bin/sh
---
> #!/bin/sh
```
-- System Information:
Debian Release: 12.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-17-amd64 (SMP w/1 CPU thread; PREEMPT)
Kernel taint flags: TAINT_SOFTLOCKUP
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages syslog-ng-core depends on:
ii libc6 2.36-9+deb12u3
ii libcap2 1:2.66-4
ii libglib2.0-0 2.74.6-2
ii libivykis0 0.42.4-1
ii libjson-c5 0.16-2
ii libnet1 1.1.6+dfsg-3.2
ii libpcre3 2:8.39-15
ii libssl3 3.0.11-1~deb12u2
ii libsystemd0 252.19-1~deb12u1
ii libwrap0 7.6.q-32
ii sysvinit-utils [lsb-base] 3.06-4
Versions of packages syslog-ng-core recommends:
ii logrotate 3.21.0-1
Versions of packages syslog-ng-core suggests:
pn syslog-ng-mod-add-contextual-data <none>
pn syslog-ng-mod-amqp <none>
pn syslog-ng-mod-examples <none>
pn syslog-ng-mod-geoip2 <none>
pn syslog-ng-mod-graphite <none>
pn syslog-ng-mod-http <none>
ii syslog-ng-mod-mongodb 3.38.1-5
pn syslog-ng-mod-python <none>
pn syslog-ng-mod-rdkafka <none>
pn syslog-ng-mod-redis <none>
pn syslog-ng-mod-riemann <none>
pn syslog-ng-mod-slog <none>
pn syslog-ng-mod-smtp <none>
pn syslog-ng-mod-snmp <none>
ii syslog-ng-mod-sql 3.38.1-5
pn syslog-ng-mod-stardate <none>
pn syslog-ng-mod-stomp <none>
pn syslog-ng-mod-xml-parser <none>
Thank you.
