From owner-freebsd-audit@FreeBSD.ORG  Tue Sep  5 19:11:01 2006
Return-Path: <owner-freebsd-audit@FreeBSD.ORG>
X-Original-To: audit@freebsd.org
Delivered-To: freebsd-audit@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 85DE016A4EC
	for <audit@freebsd.org>; Tue,  5 Sep 2006 19:11:01 +0000 (UTC)
	(envelope-from elessar@bsdforen.de)
Received: from fix.bsdforen.de (bsdforen.de [212.204.60.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D083C43D6B
	for <audit@freebsd.org>; Tue,  5 Sep 2006 19:11:00 +0000 (GMT)
	(envelope-from elessar@bsdforen.de)
Received: by fix.bsdforen.de (Postfix, from userid 20000)
	id 01FBD44B276; Tue,  5 Sep 2006 21:11:00 +0200 (CEST)
Received: from localhost (localhost [127.0.0.2])
	by fix.bsdforen.de (Postfix) with ESMTP id 6C08E44B259
	for <audit@freebsd.org>; Tue,  5 Sep 2006 21:10:59 +0200 (CEST)
X-Virus-Scanned: amavisd-new at bsdforen.de
Received: from fix.bsdforen.de ([127.0.0.2])
	by localhost (fix.bsdforen.de [127.0.0.2]) (amavisd-new, port 10024)
	with LMTP id kphJToIUMUL8 for <audit@freebsd.org>;
	Tue,  5 Sep 2006 21:10:58 +0200 (CEST)
Received: from loki.starkstrom.lan (p54A45D29.dip.t-dialin.net [84.164.93.41])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by fix.bsdforen.de (Postfix) with ESMTP id 781C344AD31
	for <audit@freebsd.org>; Tue,  5 Sep 2006 21:10:58 +0200 (CEST)
Date: Tue, 5 Sep 2006 21:10:48 +0200
From: Joerg Pernfuss <elessar@bsdforen.de>
To: audit@freebsd.org
Message-ID: <20060905211048.709c30bd@loki.starkstrom.lan>
In-Reply-To: <20060905174108.5ea3a758@loki.starkstrom.lan>
References: <20060905174108.5ea3a758@loki.starkstrom.lan>
X-Mailer: Sylpheed-Claws 2.2.3 (GTK+ 2.8.9; i386-portbld-freebsd6.1)
Mime-Version: 1.0
X-DSPAM-Result: Whitelisted
X-DSPAM-Processed: Tue Sep  5 21:10:59 2006
X-DSPAM-Confidence: 0.9986
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 44fdcbc3693961015038593
Content-Type: multipart/mixed; boundary=DSPAM_MULTIPART_EX-69396
Cc: 
Subject: Re: audit MFC to RELENG_6, auditd doesn't start
X-BeenThere: freebsd-audit@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: FreeBSD Security Audit <freebsd-audit.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-audit>
List-Post: <mailto:freebsd-audit@freebsd.org>
List-Help: <mailto:freebsd-audit-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-audit>,
	<mailto:freebsd-audit-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Sep 2006 19:11:01 -0000

--DSPAM_MULTIPART_EX-69396
Content-Type: multipart/signed; boundary=Sig_KhngklIBZb.bPzPTnMvRBzK;
	protocol="application/pgp-signature"; micalg=PGP-SHA1

--Sig_KhngklIBZb.bPzPTnMvRBzK
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable


A bit more information:

from /var/log/security:

Sep  5 20:57:28 loki auditd[1620]: starting...
Sep  5 20:57:28 loki auditd[1620]: dir =3D /var/audit
Sep  5 20:57:28 loki auditd[1620]: New audit file is /var/audit/20060905185=
728.not_terminated
Sep  5 20:57:28 loki auditd[1620]: auditctl failed setting log file! : Inva=
lid argument
Sep  5 20:57:28 loki auditd[1620]: dir =3D /usr/audit
Sep  5 20:57:28 loki auditd[1620]: New audit file is /usr/audit/20060905185=
728.not_terminated
Sep  5 20:57:28 loki auditd[1620]: auditctl failed setting log file! : Inva=
lid argument
Sep  5 20:57:28 loki auditd[1620]: Log directories exhausted
Sep  5 20:57:28 loki auditd[1620]: Could not swap audit file
Sep  5 20:57:28 loki auditd[1620]: Error reading control file
Sep  5 20:57:28 loki elessar: audit warning: getacdir /var/audit
Sep  5 20:57:28 loki elessar: audit warning: getacdir /usr/audit
Sep  5 20:57:28 loki elessar: audit warning: nostart

The output from a ktrace of `auditd -d`:
http://www.elessar.org/auditd.ktrace-fork.txt

Full dmesg (not verbose though):
http://www.elessar.org/dmesg.txt

Kernel configuration:
http://www.elessar.org/kernel_conf.txt

And last but not least my /etc/security/audit_control as it
is the only modified file:

dir:/var/audit
dir:/usr/audit
flags:lo
minfree:5
naflags:lo

Regards,
	J=F6rg

--=20
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |

--Sig_KhngklIBZb.bPzPTnMvRBzK
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFE/cvAH31s/bvKrSQRAmM5AJ9iEbpzHnOVcB2GGQZD8J+9c6pP2wCfWBxl
hu78NvhegOe2EaXTO+eYQj0=
=2hBx
-----END PGP SIGNATURE-----

--Sig_KhngklIBZb.bPzPTnMvRBzK--

--DSPAM_MULTIPART_EX-69396
Content-Type: text/plain
X-DSPAM-Signature: 44fdcbc3693961015038593

!DSPAM:44fdcbc3693961015038593!
--DSPAM_MULTIPART_EX-69396--