Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Linux syscollector: retrieve MAC addresses from "/sys/class/net/<ifname>/address". #2550

Merged
merged 3 commits into from Feb 10, 2019
Merged

Linux syscollector: retrieve MAC addresses from "/sys/class/net/<ifname>/address". #2550

merged 3 commits into from Feb 10, 2019

Conversation

DarkMatterCore
Copy link
Contributor

This PR fixes issue #2532 by reading the real MAC address for each interface using data at "/sys/class/net//address" instead of only getting it from interfaces with AF_PACKET sockets, avoiding problems with bonded interfaces sharing the same MAC address at software level.

vikman90
vikman90 requested changes Feb 10, 2019
View reviewed changes
Copy link
Member

@vikman90 vikman90 left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DarkMatterCore thanks for this PR.
However, the interface's MAC address does not appear in the database:

$ sqlite3 /var/ossec/queue/db/000.db "select name,mac from sys_netiface;"
enp0s8|
enp0s3|

And Syscollector displays those errors:

2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s8" at "/sys/class/net/enp0s8/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s8" at "/sys/class/net/enp0s8/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s8" at "/sys/class/net/enp0s8/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s3" at "/sys/class/net/enp0s3/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s3" at "/sys/class/net/enp0s3/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s3" at "/sys/class/net/enp0s3/address".

Please consider the fix described.

I confirm that this PR with that patch gets the MAC address on:

  • CentOS 6 (VM on Vagrant)
  • CentOS 7 (VM on Vagrant)
  • Ubuntu 18.10 (VM on Vagrant)
  • Debian 9 on Raspberry Pi 3.

Thank you.
Best.

src/wazuh_modules/syscollector/syscollector_linux.c Outdated Show resolved Hide resolved
src/wazuh_modules/syscollector/syscollector_linux.c Outdated Show resolved Hide resolved
@vikman90 vikman90 added type/bug Something isn't working module/syscollector labels Feb 10, 2019
vikman90
vikman90 approved these changes Feb 10, 2019
View reviewed changes
Copy link
Member

@vikman90 vikman90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@DarkMatterCore Thanks for the fix!

@vikman90 vikman90 assigned vikman90 and unassigned albertomn86 Feb 10, 2019
vikman90
vikman90 requested changes Feb 10, 2019
View reviewed changes
Copy link
Member

@vikman90 vikman90 left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error appears in CentOS 5:

2019/02/10 20:09:52 wazuh-modulesd:syscollector: ERROR: Invalid MAC address length for interface "sit0" at "/sys/class/net/sit0/address".

In fact, the simple internet transition interface has no MAC address;

$ ip addr show sit0
4: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

This condition should not produce an error but a debug log.

In fact, the system file exists but it has a shorter zero-filled MAC address:

$ cat /sys/class/net/sit0/address
00:00:00:00

@vikman90
Let Syscollector get a shorter MAC address.
739e467 
Some tunneling interfaces have a shorter MAC, like "00:00:00:00"
vikman90
vikman90 approved these changes Feb 10, 2019
View reviewed changes
Copy link
Member

@vikman90 vikman90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now it works in:

  • CentOS 5
  • CentOS 6
  • CentOS 7
  • Ubuntu 18.10
  • Raspbian 9

@vikman90 vikman90 merged commit 578cbba into 3.9 Feb 10, 2019
@vikman90 vikman90 deleted the 3.9-syscollector-linux-ifaddr branch February 10, 2019 19:52
chemamartinez pushed a commit that referenced this pull request Feb 12, 2019
@DarkMatterCore @chemamartinez
Linux syscollector: retrieve MAC addresses from "/sys/class/net/<ifna…
0adc0b2 
…me>/address". (#2550)

* Linux syscollector: retrieve MAC addresses from "/sys/class/net/<ifname>/address".

* Fixed wrong fread() call + variable naming convention.

* Let Syscollector get a shorter MAC address.

Some tunneling interfaces have a shorter MAC, like "00:00:00:00"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vikman90 vikman90 vikman90 approved these changes

Assignees

@vikman90 vikman90

Labels
module/syscollector type/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@DarkMatterCore @vikman90 @albertomn86