From owner-freebsd-security@freebsd.org Sun Jan 3 19:06:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2464A5F7DC for ; Sun, 3 Jan 2016 19:06:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D159215DA for ; Sun, 3 Jan 2016 19:06:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u03J6Zb0027157 for ; Sun, 3 Jan 2016 19:06:35 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sun, 03 Jan 2016 19:06:35 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: koobs@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: des@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: keywords priority cc flagtypes.name Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 03 Jan 2016 19:59:15 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2016 19:06:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 Kubilay Kocak changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |feature, needs-patch, | |needs-qa, security Priority|--- |Normal CC| |freebsd-security@FreeBSD.or | |g Flags| |mfc-stable9?, mfc-stable10? --- Comment #2 from Kubilay Kocak --- This issue needs more eyes --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Sun Jan 3 20:48:51 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8F1CA5F80A for ; Sun, 3 Jan 2016 20:48:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C032311A7 for ; Sun, 3 Jan 2016 20:48:51 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u03KmpDv057005 for ; Sun, 3 Jan 2016 20:48:51 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sun, 03 Jan 2016 20:48:52 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: john@saltant.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: des@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 03 Jan 2016 20:54:48 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2016 20:48:51 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 --- Comment #3 from John W. O'Brien --- The fundamental problem is that libfetch always sets the CA cert file (defaulting to /usr/local/etc/ssl/cert.pem if it exists or to /etc/ssl/cert= .pem otherwise), and openssl will return from X509_STORE_load_location() upon failure to load the CAfile before trying to register the CApath. I will pro= pose a patch shortly. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Sun Jan 3 23:53:34 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B7822A6006B for ; Sun, 3 Jan 2016 23:53:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A86A915EA for ; Sun, 3 Jan 2016 23:53:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u03NrX4L075810 for ; Sun, 3 Jan 2016 23:53:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Sun, 03 Jan 2016 23:53:33 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: john@saltant.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: des@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 04 Jan 2016 00:24:28 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2016 23:53:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 --- Comment #4 from John W. O'Brien --- I have opened review D4771 with a proposed patch for this bug, and will commence testing. I have submitted the same patch against the pkg project on github as https://github.com/freebsd/pkg/pull/1368. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Mon Jan 4 10:47:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBBD0A6153F for ; Mon, 4 Jan 2016 10:47:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BAC681826 for ; Mon, 4 Jan 2016 10:47:48 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u04Alm3M078879 for ; Mon, 4 Jan 2016 10:47:48 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Mon, 04 Jan 2016 10:47:48 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: des@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: des@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 04 Jan 2016 13:27:39 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2016 10:47:48 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 --- Comment #5 from Dag-Erling Sm=C3=83=C2=B8rgrav --- Please attach the patch to this PR. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Mon Jan 4 13:01:11 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C508DA6088D for ; Mon, 4 Jan 2016 13:01:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9AC79136C for ; Mon, 4 Jan 2016 13:01:11 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u04D1Ada032448 for ; Mon, 4 Jan 2016 13:01:11 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-security@FreeBSD.org Subject: [Bug 193871] Certificates in /etc/ssl/certs not considered by pkg and fetch Date: Mon, 04 Jan 2016 13:01:10 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 9.3-RELEASE X-Bugzilla-Keywords: feature, needs-patch, needs-qa, security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: john@saltant.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: Normal X-Bugzilla-Assigned-To: des@FreeBSD.org X-Bugzilla-Flags: mfc-stable9? mfc-stable10? X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 04 Jan 2016 13:55:32 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2016 13:01:11 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D193871 --- Comment #6 from John W. O'Brien --- Created attachment 165049 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D165049&action= =3Dedit test for /etc/ssl/cert.pem existence to avoid masking SSL_CA_CERT_PATH I have tested this and it works as intended. If you would like evidence, I would need to boil down the test results to a form suitable for sharing. In the course of testing, I realized that while the fallback to OpenSSL defaults is good, the inconsistency between the semantics of the libfetch l= ayer of environment variables (SSL_CA_CERT_FILE, SSL_CA_CERT_PATH) and the defau= lts in their absence and the libcrypto layer of environment variables (SSL_CERT_FILE, SSL_CERT_DIR) and the defaults in their absence is not so g= ood. To wit, libfetch has a default file---two, in fact---but no default path, whereas libcrypto has both, and the existence of either of the libfetch def= ault files will prevent the fallback to the OpenSSL defaults. As I understand it, the reason that libfetch has a default to begin with, rather than always using the OpenSSL default behavior, is mainly (solely?) = to allow the bundle from security/cs-nss-root to be picked up as the system default, at least for libfetch and its consumers (like pkg), merely by virt= ue of its installing a /usr/local/etc/ssl/cert.pem symlink, which is not a pla= ce OpenSSL looks by default. I don't have a recommendation at the moment, but when I do, it might be to = add /usr/local/etc/certs as a path default for libfetch. --=20 You are receiving this mail because: You are on the CC list for the bug.= From owner-freebsd-security@freebsd.org Sat Jan 9 19:04:45 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CF14A69539 for ; Sat, 9 Jan 2016 19:04:45 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id D0A8B1FD8 for ; Sat, 9 Jan 2016 19:04:44 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from [IPv6:2001:470:923f:2:8d26:421:28d8:8fed] (unknown [IPv6:2001:470:923f:2:8d26:421:28d8:8fed]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 236BB205C3 for ; Sat, 9 Jan 2016 22:04:42 +0300 (MSK) Message-ID: <569159E6.1040206@FreeBSD.org> Date: Sat, 09 Jan 2016 22:05:10 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Does audit_control's "expire-after" by size works? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2016 19:04:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I have this: expire-after:356d AND 5G and now my /var/audit contains 1 year of files, but it takes 105 gigabytes (!). It is FreeBSD 10.2-STABLE r286784 - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJWkVnmXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePsaEQANOzTdAKKSRbMNt4bP/LFO4K RlzpI1knJWFSvwxxOIaGLxVa7vh/r2aLvoVVswlftS62svh2T7yvRf4vJQYXzsTw Ix2sDgIgMulxHsoKGHStqZz8M9XQjJQamOSX5YZCjcaccsunWUKSUQSNPUEW4sHA ZAWNEUM3vDTYko+BA8/6/Iy4fNcz8aNhhLv/Vfz0auR1OCHKgZK74AeVtJo2q/Xp r6y8EC6+YL6LNb0UBiJJWThYe0rPHNG0NADZl2PPNgP3n48D+gq254QL0vSYlgB6 6Snfa0NjhZ6xeIYfKufooTizG3t9Kk67r5JV9ssxqQltdlN05rqJAMDZhJYMfQRS ayh5wHK4eCJXmqn+/bbQbqspf1lJPHNmsZD6gUkYAjqcyjSoDtFDe3rdIkgeJ2ZV ERiwPe3UXBk1qLLpcfRJMKPr3stlwf+MSFd3U0Qg0IblJOvVJ68KrWX45SlPWlOO qL7iNUjh0gMMhjcSY0Fs7tWDXvbcbl8SIynazi0s3+CIH4BYkunoiNf5AKkOUG86 UMcY2Wx09IxZZK+UcCCvhx+NaMrvYSCybhNZpPRyzRbrpgBbQpX+HrBvVAyJRlX0 J9yBQXKPGCFJHqu56g6MqFZbX9KiJ5Tzt6VvajJdgTMkHDpxWHeki9ZWlibebCwq xt0N0/du+QBuYZpNUx/C =1nfI -----END PGP SIGNATURE----- From owner-freebsd-security@freebsd.org Sat Jan 9 21:04:35 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2EA7A6A22D for ; Sat, 9 Jan 2016 21:04:35 +0000 (UTC) (envelope-from terje@elde.net) Received: from rand.keepquiet.net (keepquiet.net [144.76.43.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "keepquiet.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9DC531503; Sat, 9 Jan 2016 21:04:35 +0000 (UTC) (envelope-from terje@elde.net) Received: from [10.130.11.109] (cm-84.210.87.28.getinternet.no [84.210.87.28]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: terje@elde.net) by rand.keepquiet.net (Postfix) with ESMTPSA id E4524DB0; Sat, 9 Jan 2016 20:55:43 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Does audit_control's "expire-after" by size works? From: Terje Elde X-Mailer: iPhone Mail (13C75) In-Reply-To: <569159E6.1040206@FreeBSD.org> Date: Sat, 9 Jan 2016 21:55:42 +0100 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <89CCB3E8-4E81-4673-B04B-E3B8A25CBE76@elde.net> References: <569159E6.1040206@FreeBSD.org> To: lev@FreeBSD.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2016 21:04:35 -0000 > On 09 Jan 2016, at 20:05, Lev Serebryakov wrote: >=20 > I have this: >=20 > expire-after:356d AND 5G >=20 > and now my /var/audit contains 1 year of files, but it takes 105 > gigabytes (!). >=20 > It is FreeBSD 10.2-STABLE r286784 I don't recall how that limit is implemented, but it could be related to thi= s: https://www.freebsd.org/security/advisories/FreeBSD-EN-15:19.kqueue.asc Terje From owner-freebsd-security@freebsd.org Sat Jan 9 22:39:48 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B60F7A6A4EB for ; Sat, 9 Jan 2016 22:39:48 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 8377E1DF3 for ; Sat, 9 Jan 2016 22:39:48 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:88ce:dbff:dc03:12da]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 937E048AF; Sun, 10 Jan 2016 01:39:40 +0300 (MSK) Date: Sun, 10 Jan 2016 01:39:31 +0300 From: Lev Serebryakov Reply-To: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <8610441270.20160110013923@serebryakov.spb.ru> To: Terje Elde CC: freebsd-security@freebsd.org Subject: Re: Does audit_control's "expire-after" by size works? In-Reply-To: <89CCB3E8-4E81-4673-B04B-E3B8A25CBE76@elde.net> References: <569159E6.1040206@FreeBSD.org> <89CCB3E8-4E81-4673-B04B-E3B8A25CBE76@elde.net> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="----------05205B05E1FA06B26" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2016 22:39:48 -0000 ------------05205B05E1FA06B26 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello Terje, Saturday, January 9, 2016, 11:55:42 PM, you wrote: >> expire-after:356d AND 5G >>=20 >> and now my /var/audit contains 1 year of files, but it takes 105 >> gigabytes (!). >>=20 >> It is FreeBSD 10.2-STABLE r286784 > I don't recall how that limit is implemented, but it could be related to = this: > https://www.freebsd.org/security/advisories/FreeBSD-EN-15:19.kqueue.asc All these files are less than 2G. Really, each individual file is less than 200M. And here are my other question (in separate message). --=20 Best regards, Lev mailto:lev@FreeBSD.org ------------05205B05E1FA06B26 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJWkYwiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePJYsP/RNfWPHjEB+Rr4Po4MzeF7Qy uyw3nWCMNyIGwFcFENWCusZyQ/utmS6q64idirdl6b8cy4kgCgvda0km5GTIizB6 0tUjQqQj9eFPxtf4hbkLoA5RYrG0MJxb0tf/sYR3gh8+6jZs0CGuU7+8iltzuYPj ok6liaPcpGa6t1NJpDyrHHEYkx0eBvLNexSNKkIjodb/hey16KdS1TCratGPz0G+ IBAivQrcE5+nRM3DftaRB8XECsEJGDre3EAI4XnJ2lBy+woog/xQNc9gYuKOoY1M eudyjTophpUbaOHhWZcTOKA8E7rMfEalZIgVDPTgArQu+Dw5YHH1Pky0rmR/U8dJ J+OfEiM0tsWqXWBc9shKjbDmlYbnubNeHVo/1IWTPFES5aefbjuWCoYh5hCAzf3q C5sj5NfyuwG0cl8CiPUmOetUSGycjr061geyYtxgz8ROEF2Z8s1MIj5G4vrt+ZGb pYulfWAOPazhNIznbHgQeLilHs+t17KfLR+dK3KbFt8fsq3aNbmZczn8LIWJIt8o EW8gh5U7roTZ0icxBX8Uz9ZLWJUF4Wc7jDyd1L8ULDOeGxPu65Pc9PGiKinyBVpQ 80uXxYP84TEUS8KssN7KUX6vNnlbbFPYuJieZgiKQABkVH83eh11vKlBmOcPIo+5 GCNITIl4WD+Aj2RD/oGg =3s47 -----END PGP MESSAGE----- ------------05205B05E1FA06B26-- From owner-freebsd-security@freebsd.org Sat Jan 9 23:01:02 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 95577A6ABC7 for ; Sat, 9 Jan 2016 23:01:02 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6291D174F for ; Sat, 9 Jan 2016 23:01:02 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:88ce:dbff:dc03:12da]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 05D905A81 for ; Sun, 10 Jan 2016 02:00:59 +0300 (MSK) Date: Sun, 10 Jan 2016 02:00:52 +0300 From: Lev Serebryakov Reply-To: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <824588148.20160110020045@serebryakov.spb.ru> To: freebsd-security@freebsd.org Subject: Size of audit trace files: something changed between MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="----------0430E12550074B4F8" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2016 23:01:02 -0000 ------------0430E12550074B4F8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello Freebsd-security, I have /etc/security/audit_control configured to have 200M trace files and "audit -n" is scheduled to run twice a day, at 00:00 and 12:00. Old trace files looks Ok (it is November 2015): -r--r----- 1 root audit 209715488 Nov 16 19:05 20151116090000.2015= 1116160510.46.4.40.135 -r--r----- 1 root audit 209716086 Nov 16 20:58 20151116160510.2015= 1116175847.46.4.40.135 It could be seen, that these files ate rotated at 200M boundary. And latest files are rotated very (too!) often: -r--r----- 1 root audit 102083 Jan 9 21:50 20160109185013.2016= 0109185043.46.4.40.135 -r--r----- 1 root audit 471138 Jan 9 21:51 20160109185043.2016= 0109185115.46.4.40.135 -r--r----- 1 root audit 283454 Jan 9 21:51 20160109185115.2016= 0109185145.46.4.40.135 -r--r----- 1 root audit 189662 Jan 9 21:52 20160109185145.2016= 0109185215.46.4.40.135 Small files are rotated evry 30 seconds (!). It is very inconvenient, as there are A LOT of these small files! System is FreeBSD 10.2-STABLE #1 r286784: Fri Aug 14 21:40:59 MSK 2015, so looks like it is not regression in system, as November traces are Ok! --=20 Best regards, Lev mailto:lev@FreeBSD.org ------------0430E12550074B4F8 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJWkZEkXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePVcYQAM2D3BOQIAdpQwd4shT4UNz7 YmGhjYf7xpraofsNCSY31ZgoCmIDZ+yQRzny7sUYUGqwIX21GWTVzjVhYp42oCY5 zg+wDdknvoBsFS3/LN+yFVUXPhVLGisoWVAM1kQnFccPTu/4osCGFsqdiCNPrDJL b2kuNv98F2GINBHLedzUEjuFfNoEHX+9ej36LLoYIeG8OG+oapr31E8gsjMn3vAI h0uSIx72V7xQAhM7PGyJBTL8jiHRINTu6VFetrM9WN16PwsdRQmkqyX3s0CUviB/ tFDFV1FWF/SgLhaI5411EuNVaLyiiyrBv2HdKIU4+emFavWKxas3nMOAPqUUo2Z2 sBLeJk/nF1RQMQzMpJ6DC232fuNqL11qTHucBtRPVeiiO4MMYppQQBcrJWrtPvrI 2UgIc/74wY5FwMXrEr5XqwfrO0haWj39t822+gq11/pEBpT7/g0spmkjSTKhj1of 2Ja0I2Ja4X0nE5qX42RPy4vsBb+CHUA/xZaHm2mI9OYEPmuyiWKA8i6ZjaHZt6ZG asoc8n5L7jf86tp3ggVrJkxWm278fepG2yH/xexX3UzgcHeomuKYv0/gxH1XIUfU A9F7WvxmUAtHpH7pmNOUD8ARxQU2++2crVfB6GYbA4a+pssKfPizQziqIOt7seID lN4jj/U6FgY1JvCRlAMA =TQTp -----END PGP MESSAGE----- ------------0430E12550074B4F8-- From owner-freebsd-security@freebsd.org Sat Jan 9 23:03:02 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F4E7A6ADB2 for ; Sat, 9 Jan 2016 23:03:02 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4C9021BDE for ; Sat, 9 Jan 2016 23:03:02 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:88ce:dbff:dc03:12da]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 9F2D05C79; Sun, 10 Jan 2016 02:02:54 +0300 (MSK) Date: Sun, 10 Jan 2016 02:02:47 +0300 From: Lev Serebryakov Reply-To: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <161717037.20160110020240@serebryakov.spb.ru> To: Terje Elde CC: freebsd-security@freebsd.org Subject: Re: Does audit_control's "expire-after" by size works? In-Reply-To: <89CCB3E8-4E81-4673-B04B-E3B8A25CBE76@elde.net> References: <569159E6.1040206@FreeBSD.org> <89CCB3E8-4E81-4673-B04B-E3B8A25CBE76@elde.net> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="----------0890421E73412DA99" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jan 2016 23:03:02 -0000 ------------0890421E73412DA99 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello Terje, Saturday, January 9, 2016, 11:55:42 PM, you wrote: > I don't recall how that limit is implemented, but it could be related to = this: Looks like I could not understand man page right :) Expiration with AND is by time, and size is additional condition. So, "365 AND 5G" could leave any number of files, up to one year, if they takes morre than 5G and NOT "365 files but no more than 5G" --=20 Best regards, Lev mailto:lev@FreeBSD.org ------------0890421E73412DA99 Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJWkZGWXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePH94QAIt9Se4D551hXq4h6bl6Wi5j Ge8bP1EnjxlHSXJ137ZnTSWR5RWLHQlw2ZUoHwFhDRaMm14Of04lZCN5kE9DnD2i it7xxKFgLKvav1EONgVQ3coQdKliLW2DV4ZVXFrQhcL3cOWDg5DLlr/T0gD/VU/l gbRxkm2vF+nU5CaSc5sbL/dPd7idsPoGGzZQKW5M9rBBHqee9z6tbIWXAyOmyLg0 +2ev5VVG5IbFnzvihQD4BB1LL02RpwU0nVPhEhh18XuIeXxdTFNHZeWQr/Dk5PYT CNQ1xx/0uyk7KOOJrUvKQ5UZYZlk9Ies+aWF+9n9IHxg6LuVOKXCkPaH1AYuQFAp R12MNiOlWwjU2qLKd0n6qoUQa6HNM7pPt84Xt/+eO19/u2TVG+jdEoMqL+tZi/aA e6vc3a+PgR7wxcppCtHKo7JFexSQzbxDlcYcwOmWXH6Heg2zj3U1kn+DmzZ05M+A /bS/0TYuQOf17jW0cNlFOuh0WnEgb6muCOFA8KH4ld3hL2i9ilM328cZBu404lBA dz1m8oZY38tPekXHKvS1E9payjYoahGgNgiscuUUdAkCbuk2ptXIEZt12o+vmWyi zoxySIrrN0/dVwzW2fI3NDb71ULEQghF44eRvUj0Gm/n3Ff42e23pOHa3zJIB1oW uq0+7AUUnu/GcQAKh+HK =0v1d -----END PGP MESSAGE----- ------------0890421E73412DA99--