Skip to content

Commit

Permalink
[Auditbeat] btmp offset check (elastic#24515)
Browse files Browse the repository at this point in the history
* auditbeat btmp offset check

Add check that saved offset is not larger than the current file size
to prevent seeking past the end of file
  • Loading branch information
leehinman authored and narph committed Mar 17, 2021
1 parent 4b9bf5d commit 74bf93f
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 5 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- system/socket: Having some CPUs unavailable to Auditbeat could cause startup errors or event loss. {pull}22827[22827]
- Note incompatibility of system/socket on ARM. {pull}23381[23381]
- system/login: Fixed offset reset on inode reuse. {pull}24414[24414]
- system/login: Add additional offset check for utmp files. {pull}24515[24515]

*Filebeat*

Expand Down
10 changes: 5 additions & 5 deletions x-pack/auditbeat/module/system/login/utmp.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,14 +181,14 @@ func (r *UtmpFileReader) readNewInFile(loginRecordC chan<- LoginRecord, errorC c

size := utmpFile.Size
oldSize := savedUtmpFile.Size
if size < oldSize {
if size < oldSize || utmpFile.Offset > size {
// UTMP files are append-only and so this is weird. It might be a sign of
// a highly unlikely inode reuse - or of something more nefarious.
// Setting isKnownFile to false so we read the whole file from the beginning.
isKnownFile = false

r.log.Warnf("Unexpectedly, the file %v is smaller than before (new: %v, old: %v) - reading whole file.",
utmpFile.Path, size, oldSize)
r.log.Warnf("saved size or offset illogical (new=%+v, saved=%+v) - reading whole file.",
utmpFile, savedUtmpFile)
}

if !isKnownFile && size == 0 {
Expand Down Expand Up @@ -221,7 +221,7 @@ func (r *UtmpFileReader) readNewInFile(loginRecordC chan<- LoginRecord, errorC c

// This will be the usual case, but we do not want to seek with the stored offset
// if the saved size is smaller than the current one.
if size >= oldSize {
if size >= oldSize && utmpFile.Offset <= size {
_, err = f.Seek(utmpFile.Offset, 0)
if err != nil {
errorC <- errors.Wrapf(err, "error setting offset %d for file %v", utmpFile.Offset, utmpFile.Path)
Expand All @@ -230,7 +230,7 @@ func (r *UtmpFileReader) readNewInFile(loginRecordC chan<- LoginRecord, errorC c

// If the saved size is smaller than the current one, or the previous Seek failed,
// we retry one more time, this time resetting to the beginning of the file.
if size < oldSize || err != nil {
if size < oldSize || utmpFile.Offset > size || err != nil {
_, err = f.Seek(0, 0)
if err != nil {
errorC <- errors.Wrapf(err, "error setting offset 0 for file %v", utmpFile.Path)
Expand Down

0 comments on commit 74bf93f

Please sign in to comment.