Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 5 Sep 2006 17:41:08 +0200
From:      Joerg Pernfuss <elessar@bsdforen.de>
To:        audit@freebsd.org
Subject:   audit MFC to RELENG_6, auditd doesn't start
Message-ID:  <20060905174108.5ea3a758@loki.starkstrom.lan>
next in thread | raw e-mail | index | archive | help 
--DSPAM_MULTIPART_EX-62298
Content-Type: multipart/signed; boundary="Sig_G=v.22ofhJVWmqVhjouR_nq";
	protocol="application/pgp-signature"; micalg=PGP-SHA1

--Sig_G=v.22ofhJVWmqVhjouR_nq
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable


Hi,

after I saw rwatson's MFC of the experimental audit support to
RELENG_6, i checked out the tree yesterday. Build and install went
fine without errors, but sth either went wrong or was made going
wrong by me.

Now auditd exits with exit(1) right after I start it, and

Sep  5 17:27:02 loki auditd[65275]: auditctl failed setting log file! : Inv=
alid argument
Sep  5 17:27:02 loki auditd[65275]: auditctl failed setting log file! : Inv=
alid argument
Sep  5 17:27:02 loki auditd[65275]: Log directories exhausted
Sep  5 17:27:02 loki auditd[65275]: Could not swap audit file
Sep  5 17:27:02 loki auditd[65275]: Error reading control file
Sep  5 17:27:02 loki elessar: audit warning: nostart
Sep  5 17:27:02 loki elessar: audit warning: getacdir /var/audit
Sep  5 17:27:02 loki elessar: audit warning: getacdir /usr/audit

is everything I can get out of it, -d or not.
dmesg suggests that the kernel side of the audit support works
fine.

FreeBSD 6.1-STABLE #0: Tue Sep  5 11:53:24 CEST 2006
    root@loki.starkstrom.lan:/usr/obj/usr/src/sys/LOKI
ACPI APIC Table: <VIA694 AWRDACPI>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) III CPU family      1400MHz (1399.54-MHz 686-class=
 CPU)
  Origin =3D "GenuineIntel"  Id =3D 0x6b1  Stepping =3D 1
  Features=3D0x383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE=
,MCA,CMOV,PAT,PSE36,MMX,FXS
R,SSE>
real memory  =3D 1610547200 (1535 MB)
avail memory =3D 1568890880 (1496 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
Security policy loaded: TrustedBSD MAC/BSD Extended (mac_bsdextended)
Security policy loaded: TrustedBSD MAC/seeotheruids (mac_seeotheruids)
Security policy loaded: TrustedBSD MAC/ifoff (mac_ifoff)
Security policy loaded: TrustedBSD MAC/Partition (mac_partition)
Security policy loaded: TrustedBSD MAC/portacl (trustedbsd_mac_portacl)
Security auditing service present
BSM auditing present

Disabling all the TrustedBSD modules via sysctl made no difference,
the configuration files for audit are the default ones with one added
dir: entry in audit_control, /var/audit and /usr/audit exist and are
50-60% free.

root@loki: /var/audit# ls -l
total 0
-r--r-----  1 root  audit  0 Sep  5 15:32 20060905133200.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:33 20060905133333.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:36 20060905133630.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:39 20060905133922.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:40 20060905134055.not_terminated

The sources have peen patched with the unionfs-p16 and propolice patches,
but from my understanding of the error messages, that should not be the
problem.

audit_warn.c has this comment for getacdir warnings:
/*
 * Indicates that there is a problem getting the directory from
 * audit_control.
 *
 * XXX Note that we take the filename instead of a count as the argument he=
re
 * (different from BSM).
 */

The entries in /etc/security/audit_control are
dir:/var/audit
dir:/usr/audit
The second I added to check if by chance sth with the diskfree calculations
went wrong. I am troubled.

Thanks for any pointers about what I am doing wrong.

Regards,
	J=F6rg
--=20
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |

--Sig_G=v.22ofhJVWmqVhjouR_nq
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFE/ZqdH31s/bvKrSQRAv+HAJ9OOxAgqe9fwN5guNwdDuJAaWBLXACfZzLA
CdrZvE5P+G4/rfYNBklqWnc=
=Lfwc
-----END PGP SIGNATURE-----

--Sig_G=v.22ofhJVWmqVhjouR_nq--

--DSPAM_MULTIPART_EX-62298
Content-Type: text/plain
X-DSPAM-Signature: 44fd9aa1622985369021049

!DSPAM:44fd9aa1622985369021049!
--DSPAM_MULTIPART_EX-62298--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060905174108.5ea3a758>