From owner-freebsd-audit@FreeBSD.ORG Tue Sep 5 15:41:44 2006 Return-Path: X-Original-To: audit@freebsd.org Delivered-To: freebsd-audit@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40F5016A4E0 for ; Tue, 5 Sep 2006 15:41:44 +0000 (UTC) (envelope-from elessar@bsdforen.de) Received: from fix.bsdforen.de (bsdforen.de [212.204.60.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B80643D73 for ; Tue, 5 Sep 2006 15:41:23 +0000 (GMT) (envelope-from elessar@bsdforen.de) Received: by fix.bsdforen.de (Postfix, from userid 20000) id EEAFE44B276; Tue, 5 Sep 2006 17:41:21 +0200 (CEST) Received: from localhost (localhost [127.0.0.2]) by fix.bsdforen.de (Postfix) with ESMTP id F1D9A44B259 for ; Tue, 5 Sep 2006 17:41:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsdforen.de Received: from fix.bsdforen.de ([127.0.0.2]) by localhost (fix.bsdforen.de [127.0.0.2]) (amavisd-new, port 10024) with LMTP id 2D-l-55Osrb0 for ; Tue, 5 Sep 2006 17:41:20 +0200 (CEST) Received: from loki.starkstrom.lan (p54A45D29.dip.t-dialin.net [84.164.93.41]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fix.bsdforen.de (Postfix) with ESMTP id C28D444A593 for ; Tue, 5 Sep 2006 17:41:19 +0200 (CEST) Date: Tue, 5 Sep 2006 17:41:08 +0200 From: Joerg Pernfuss To: audit@freebsd.org Message-ID: <20060905174108.5ea3a758@loki.starkstrom.lan> X-Mailer: Sylpheed-Claws 2.2.3 (GTK+ 2.8.9; i386-portbld-freebsd6.1) Mime-Version: 1.0 X-DSPAM-Result: Whitelisted X-DSPAM-Processed: Tue Sep 5 17:41:21 2006 X-DSPAM-Confidence: 0.9986 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 44fd9aa1622985369021049 Content-Type: multipart/mixed; boundary=DSPAM_MULTIPART_EX-62298 Cc: Subject: audit MFC to RELENG_6, auditd doesn't start X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 15:41:44 -0000 --DSPAM_MULTIPART_EX-62298 Content-Type: multipart/signed; boundary="Sig_G=v.22ofhJVWmqVhjouR_nq"; protocol="application/pgp-signature"; micalg=PGP-SHA1 --Sig_G=v.22ofhJVWmqVhjouR_nq Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hi, after I saw rwatson's MFC of the experimental audit support to RELENG_6, i checked out the tree yesterday. Build and install went fine without errors, but sth either went wrong or was made going wrong by me. Now auditd exits with exit(1) right after I start it, and Sep 5 17:27:02 loki auditd[65275]: auditctl failed setting log file! : Inv= alid argument Sep 5 17:27:02 loki auditd[65275]: auditctl failed setting log file! : Inv= alid argument Sep 5 17:27:02 loki auditd[65275]: Log directories exhausted Sep 5 17:27:02 loki auditd[65275]: Could not swap audit file Sep 5 17:27:02 loki auditd[65275]: Error reading control file Sep 5 17:27:02 loki elessar: audit warning: nostart Sep 5 17:27:02 loki elessar: audit warning: getacdir /var/audit Sep 5 17:27:02 loki elessar: audit warning: getacdir /usr/audit is everything I can get out of it, -d or not. dmesg suggests that the kernel side of the audit support works fine. FreeBSD 6.1-STABLE #0: Tue Sep 5 11:53:24 CEST 2006 root@loki.starkstrom.lan:/usr/obj/usr/src/sys/LOKI ACPI APIC Table: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Pentium(R) III CPU family 1400MHz (1399.54-MHz 686-class= CPU) Origin =3D "GenuineIntel" Id =3D 0x6b1 Stepping =3D 1 Features=3D0x383fbff real memory =3D 1610547200 (1535 MB) avail memory =3D 1568890880 (1496 MB) FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 Security policy loaded: TrustedBSD MAC/BSD Extended (mac_bsdextended) Security policy loaded: TrustedBSD MAC/seeotheruids (mac_seeotheruids) Security policy loaded: TrustedBSD MAC/ifoff (mac_ifoff) Security policy loaded: TrustedBSD MAC/Partition (mac_partition) Security policy loaded: TrustedBSD MAC/portacl (trustedbsd_mac_portacl) Security auditing service present BSM auditing present Disabling all the TrustedBSD modules via sysctl made no difference, the configuration files for audit are the default ones with one added dir: entry in audit_control, /var/audit and /usr/audit exist and are 50-60% free. root@loki: /var/audit# ls -l total 0 -r--r----- 1 root audit 0 Sep 5 15:32 20060905133200.not_terminated -r--r----- 1 root audit 0 Sep 5 15:33 20060905133333.not_terminated -r--r----- 1 root audit 0 Sep 5 15:36 20060905133630.not_terminated -r--r----- 1 root audit 0 Sep 5 15:39 20060905133922.not_terminated -r--r----- 1 root audit 0 Sep 5 15:40 20060905134055.not_terminated The sources have peen patched with the unionfs-p16 and propolice patches, but from my understanding of the error messages, that should not be the problem. audit_warn.c has this comment for getacdir warnings: /* * Indicates that there is a problem getting the directory from * audit_control. * * XXX Note that we take the filename instead of a count as the argument he= re * (different from BSM). */ The entries in /etc/security/audit_control are dir:/var/audit dir:/usr/audit The second I added to check if by chance sth with the diskfree calculations went wrong. I am troubled. Thanks for any pointers about what I am doing wrong. Regards, J=F6rg --=20 | /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a | | \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 | | X HTML in email | .the next sentence is true. | | / \ and news | .the previous sentence was a lie. | --Sig_G=v.22ofhJVWmqVhjouR_nq Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFE/ZqdH31s/bvKrSQRAv+HAJ9OOxAgqe9fwN5guNwdDuJAaWBLXACfZzLA CdrZvE5P+G4/rfYNBklqWnc= =Lfwc -----END PGP SIGNATURE----- --Sig_G=v.22ofhJVWmqVhjouR_nq-- --DSPAM_MULTIPART_EX-62298 Content-Type: text/plain X-DSPAM-Signature: 44fd9aa1622985369021049 !DSPAM:44fd9aa1622985369021049! --DSPAM_MULTIPART_EX-62298-- From owner-freebsd-audit@FreeBSD.ORG Tue Sep 5 19:11:01 2006 Return-Path: X-Original-To: audit@freebsd.org Delivered-To: freebsd-audit@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85DE016A4EC for ; Tue, 5 Sep 2006 19:11:01 +0000 (UTC) (envelope-from elessar@bsdforen.de) Received: from fix.bsdforen.de (bsdforen.de [212.204.60.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id D083C43D6B for ; Tue, 5 Sep 2006 19:11:00 +0000 (GMT) (envelope-from elessar@bsdforen.de) Received: by fix.bsdforen.de (Postfix, from userid 20000) id 01FBD44B276; Tue, 5 Sep 2006 21:11:00 +0200 (CEST) Received: from localhost (localhost [127.0.0.2]) by fix.bsdforen.de (Postfix) with ESMTP id 6C08E44B259 for ; Tue, 5 Sep 2006 21:10:59 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsdforen.de Received: from fix.bsdforen.de ([127.0.0.2]) by localhost (fix.bsdforen.de [127.0.0.2]) (amavisd-new, port 10024) with LMTP id kphJToIUMUL8 for ; Tue, 5 Sep 2006 21:10:58 +0200 (CEST) Received: from loki.starkstrom.lan (p54A45D29.dip.t-dialin.net [84.164.93.41]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fix.bsdforen.de (Postfix) with ESMTP id 781C344AD31 for ; Tue, 5 Sep 2006 21:10:58 +0200 (CEST) Date: Tue, 5 Sep 2006 21:10:48 +0200 From: Joerg Pernfuss To: audit@freebsd.org Message-ID: <20060905211048.709c30bd@loki.starkstrom.lan> In-Reply-To: <20060905174108.5ea3a758@loki.starkstrom.lan> References: <20060905174108.5ea3a758@loki.starkstrom.lan> X-Mailer: Sylpheed-Claws 2.2.3 (GTK+ 2.8.9; i386-portbld-freebsd6.1) Mime-Version: 1.0 X-DSPAM-Result: Whitelisted X-DSPAM-Processed: Tue Sep 5 21:10:59 2006 X-DSPAM-Confidence: 0.9986 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 44fdcbc3693961015038593 Content-Type: multipart/mixed; boundary=DSPAM_MULTIPART_EX-69396 Cc: Subject: Re: audit MFC to RELENG_6, auditd doesn't start X-BeenThere: freebsd-audit@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: FreeBSD Security Audit List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 19:11:01 -0000 --DSPAM_MULTIPART_EX-69396 Content-Type: multipart/signed; boundary=Sig_KhngklIBZb.bPzPTnMvRBzK; protocol="application/pgp-signature"; micalg=PGP-SHA1 --Sig_KhngklIBZb.bPzPTnMvRBzK Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable A bit more information: from /var/log/security: Sep 5 20:57:28 loki auditd[1620]: starting... Sep 5 20:57:28 loki auditd[1620]: dir =3D /var/audit Sep 5 20:57:28 loki auditd[1620]: New audit file is /var/audit/20060905185= 728.not_terminated Sep 5 20:57:28 loki auditd[1620]: auditctl failed setting log file! : Inva= lid argument Sep 5 20:57:28 loki auditd[1620]: dir =3D /usr/audit Sep 5 20:57:28 loki auditd[1620]: New audit file is /usr/audit/20060905185= 728.not_terminated Sep 5 20:57:28 loki auditd[1620]: auditctl failed setting log file! : Inva= lid argument Sep 5 20:57:28 loki auditd[1620]: Log directories exhausted Sep 5 20:57:28 loki auditd[1620]: Could not swap audit file Sep 5 20:57:28 loki auditd[1620]: Error reading control file Sep 5 20:57:28 loki elessar: audit warning: getacdir /var/audit Sep 5 20:57:28 loki elessar: audit warning: getacdir /usr/audit Sep 5 20:57:28 loki elessar: audit warning: nostart The output from a ktrace of `auditd -d`: http://www.elessar.org/auditd.ktrace-fork.txt Full dmesg (not verbose though): http://www.elessar.org/dmesg.txt Kernel configuration: http://www.elessar.org/kernel_conf.txt And last but not least my /etc/security/audit_control as it is the only modified file: dir:/var/audit dir:/usr/audit flags:lo minfree:5 naflags:lo Regards, J=F6rg --=20 | /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a | | \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 | | X HTML in email | .the next sentence is true. | | / \ and news | .the previous sentence was a lie. | --Sig_KhngklIBZb.bPzPTnMvRBzK Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFE/cvAH31s/bvKrSQRAmM5AJ9iEbpzHnOVcB2GGQZD8J+9c6pP2wCfWBxl hu78NvhegOe2EaXTO+eYQj0= =2hBx -----END PGP SIGNATURE----- --Sig_KhngklIBZb.bPzPTnMvRBzK-- --DSPAM_MULTIPART_EX-69396 Content-Type: text/plain X-DSPAM-Signature: 44fdcbc3693961015038593 !DSPAM:44fdcbc3693961015038593! --DSPAM_MULTIPART_EX-69396--