[osiris] problem handling a new session key in 4.2.1

Oscar Bear oscar.d.bear at gmail.com
Fri Aug 11 11:31:59 EDT 2006 

(Cross posted to the developer's list, but I'm not certain anyone is there
anymore.)

I've encountered an issue with osirismd 4.2.1 that I hadn't encountered with
4.1.9, the previous version I used.  When an agent is restarted and has lost
its session key, the next scheduled scan attempt fails.  Subsequent attempts
work fine.  Here's what I'm seeing in the logs (lines tagged with "- added
for debugging" are extra lines I've added to the code for debugging):

Aug 11 04:00:23 osiris osirismd[27666]: [605][server1][info] daemon doesn't
have a session key, assigning it one.
Aug 11 04:00:23 osiris osirismd[27666]: [604][server1][warning] scan agent
lost its session key, most likely it was restarted.
Aug 11 04:00:23 osiris osirismd[27666]: [606][server1][info] new session key
assigned.
Aug 11 04:00:23 osiris osirismd[27666]: [603][server1][warning] received
invalid key from daemon.
Aug 11 04:00:23 osiris osirismd[27666]: [603][server1][warning]
F9E6E9035355685FD0012FC12C72F8BC7AE6AF97 - added for debugging
Aug 11 04:00:23 osiris osirismd[27666]: [603][server1][warning]
7A4BFFBEC196C50CB358A3D3885CED7608959B9C - added for debugging
Aug 11 04:00:23 osiris osirismd[27666]: [603][server1][warning] received
invalid key from daemon. - added for debugging
Aug 11 04:00:23 osiris osirismd[27666]: [803][server1][err] scheduled scan
failed: session key negotiation with remote host failed.



So despite successfully creating and assigning a new session key, it still
fails because it doesn't have a session key.

Anyway, long story short, the problem is occurring in src/osirismd/md_scan.c
in the function scan_host.  The host's configuration file, with the session
key, is read from disk, and then osi_host_push_base_db_config is called to
push a configuration to the host.  This function establishes its own
connection to the host, and identifies that the host no longer has a session
key, so it creates one, sends it to the host, and writes it to the config
file.  After pushing the config, the function returns.  scan_host then makes
it's own connection to the host, and attempts its own session key
negotiation.  However, at this point the host has a new session key from
osi_host_push_base_db_config, but scan_host still has the old session key
from the config file.


I've found that calling osi_host_push_base_db_config before reading the
config file will correct this.  The following patch will do that.  Anyway, I
hope this might help anyone else who may be seeing this.

-Oz




--- md_scan.c   2006-07-27 21:22:41.000000000 -0400
+++ md_scan.c   2006-08-11 11:22:34.000000000 -0400
@@ -448,6 +448,12 @@
         return;
     }

+    /* if we push base db's config, then scan this host.  */
+    /* we don't care about return values, it may not have */
+    /* a baseline database set yet.                       */
+
+    osi_host_push_base_db_config( name );
+
     /* read host structure from disk. */

     if( ( host = osi_read_host( name ) ) == NULL )
@@ -460,12 +466,6 @@
         return;
     }

-    /* if we push base db's config, then scan this host.  */
-    /* we don't care about return values, it may not have */
-    /* a baseline database set yet.                       */
-
-    osi_host_push_base_db_config( name );
-
     /* now send start scan message to the remote daemon. */

     initialize_message( &req, MESSAGE_TYPE_START_SCAN );
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/osiris/attachments/20060811/1662379a/attachment.htm

More information about the osiris mailing list