Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 22 Sep 2006 02:50:16 +0200
From:      Joerg Pernfuss <elessar@bsdforen.de>
To:        stable@FreeBSD.org
Cc:        Robert Watson <rwatson@FreeBSD.org>
Subject:   Re: Problems with auditd -- resolved
Message-ID:  <20060922025016.6bc38025@loki.starkstrom.lan>
In-Reply-To: <20060917091750.T74654@fledge.watson.org>
References:  <20060917091750.T74654@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
--DSPAM_MULTIPART_EX-24361
Content-Type: multipart/signed; boundary=Sig_NxVdag2BtnAfX0u5mRIrsVw;
	protocol="application/pgp-signature"; micalg=PGP-SHA1

--Sig_NxVdag2BtnAfX0u5mRIrsVw
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

On Sun, 17 Sep 2006 09:19:03 +0100 (BST)
Robert Watson <rwatson@FreeBSD.org> wrote:

> Dear all,
>=20
> I've just comitted a fix to syscalls.master and regenerated the
> remaining system call files, which should correct the auditctl:
> Invalid Argument error being returned by auditd.  In short order,
> this fix should be on the cvsup mirrors -- please let me know if it
> resolves the problem you were experiencing.
>=20
> Thanks,

Thank you for that quick fix Robert, but sadly I am still somewhat
at a loss.
The auditd does run now, but does not write back any audit data at all.
I have run at least three full buildworlds during the time you see
below, set flags, deleted things, logged in, logged out, logged in via
ssh to the external interface, ssh'ed to localhost. No gain.
/var/log/audit looks like this:

elessar@forseti: /home/elessar# ll /var/audit/
total 26
-r--r-----  1 root  audit  0 20 Sep 18:05 20060920160547.20060920160856
-r--r-----  1 root  audit  0 20 Sep 18:08 20060920160856.20060920161050
-r--r-----  1 root  audit  0 20 Sep 18:10 20060920161050.20060920161154
-r--r-----  1 root  audit  0 20 Sep 18:13 20060920161347.20060920161507
-r--r-----  1 root  audit  0 20 Sep 18:19 20060920161903.20060920161936
-r--r-----  1 root  audit  0 20 Sep 18:28 20060920162856.20060920162909
-r--r-----  1 root  audit  0 20 Sep 18:33 20060920163322.20060920163817
-r--r-----  1 root  audit  0 20 Sep 18:38 20060920163817.20060920164146
-r--r-----  1 root  audit  0 20 Sep 18:41 20060920164146.20060920164920
-r--r-----  1 root  audit  0 20 Sep 18:49 20060920164920.not_terminated
-r--r-----  1 root  audit  0 20 Sep 18:51 20060920165153.20060920165243
-r--r-----  1 root  audit  0 20 Sep 18:52 20060920165243.20060920165330
-r--r-----  1 root  audit  0 20 Sep 18:53 20060920165330.20060920171512
-r--r-----  1 root  audit  0 20 Sep 19:16 20060920171650.20060920175312
-r--r-----  1 root  audit  0 20 Sep 19:55 20060920175539.20060921215850
-r--r-----  1 root  audit  0 22 Sep 00:00 20060921220046.not_terminated

The old .not_terminated file is from me fiddling with the system.

That is the output from /var/log/security - first system startup, then
two `audit -n` -- everything seems to work fine.

Sep 22 00:00:46 forseti auditd[604]: starting...
Sep 22 00:00:46 forseti auditd[605]: dir =3D /var/audit
Sep 22 00:00:46 forseti auditd[605]: New audit file is /var/audit/\
	20060921220046.not_terminated
Sep 22 00:00:46 forseti auditd[605]: min free =3D 20
Sep 22 00:00:46 forseti auditd[605]: Registered 434 event to class mappings.
Sep 22 00:00:46 forseti auditd[605]: Registered non-attributable event mask.
Sep 22 00:00:46 forseti auditd[605]: Audit controls init successful
Sep 22 00:04:05 forseti auditd[605]: wait_for_events: read 2
Sep 22 00:04:05 forseti auditd[605]: Got open new trigger
Sep 22 00:04:05 forseti auditd[605]: dir =3D /var/audit
Sep 22 00:04:05 forseti auditd[605]: New audit file is /var/audit/\
	20060921220405.not_terminated
Sep 22 00:04:05 forseti auditd[605]: renamed /var/audit/20060921220046\
	.not_terminated to /var/audit/          20060921220046.20060921220405
Sep 22 00:05:26 forseti auditd[605]: wait_for_events: read 2
Sep 22 00:05:26 forseti auditd[605]: Got open new trigger
Sep 22 00:05:26 forseti auditd[605]: dir =3D /var/audit
Sep 22 00:05:26 forseti auditd[605]: New audit file is /var/audit/\
	20060921220526.not_terminated
Sep 22 00:05:26 forseti auditd[605]: renamed /var/audit/20060921220405\
	.not_terminated to /var/audit/          20060921220405.20060921220526
Sep 22 00:06:16 forseti auditd[605]: wait_for_events: read 2
Sep 22 00:06:16 forseti auditd[605]: Got open new trigger
Sep 22 00:06:16 forseti auditd[605]: dir =3D /var/audit
Sep 22 00:06:16 forseti auditd[605]: New audit file is /var/audit/200609212=
20616\
	.not_terminated
Sep 22 00:06:16 forseti auditd[605]: renamed /var/audit/20060921220526\
	.not_terminated to /var/audit/          20060921220526.20060921220616

My audit_control file:
	dir:/var/audit
	flags:all
	minfree:20
	naflags:lo

My audit_user file:
	root:all:no
	elessar:all:no

=46rom my understanding, this configuration should generate a ridiculous
amount of data and probably fill
	Filesystem   1K-blocks  Used  Avail Capacity  Mounted on
	/dev/ufs/var    253678 63308 170076    27%    /var
up to the configured limit during a buildworld.

uname -a:
FreeBSD forseti.starkstrom.lan 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #3:
Thu Sep 21 23:32:20 CEST 2006 elessar@forseti.starkstrom.lan:/usr/obj/usr/s=
rc/sys/FORSETI  alpha

audit sourcefile versions:
$FreeBSD: src/sys/security/audit/audit.c,v 1.18.2.3 2006/09/20 17:07:11 csj=
p Exp $
$FreeBSD: src/sys/security/audit/audit.h,v 1.8.2.2 2006/09/04 06:07:51 rwat=
son Exp $
$FreeBSD: src/sys/security/audit/audit_arg.c,v 1.6.2.1 2006/09/02 11:50:50 =
rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_bsm.c,v 1.10.2.3 2006/09/20 17:04:04=
 csjp Exp $
$FreeBSD: src/sys/security/audit/audit_bsm_klib.c,v 1.4.2.1 2006/09/02 11:5=
0:50 rwatson Exp $
$P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.=
c#23 $
$FreeBSD: src/sys/security/audit/audit_bsm_token.c,v 1.7.2.1 2006/09/02 11:=
50:50 rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_ioctl.h,v 1.4.2.1 2006/09/02 11:50:5=
0 rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.9.2.1 2006/09/02 11:50:51=
 rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_private.h,v 1.10.2.2 2006/09/20 17:0=
7:11 csjp Exp $
$FreeBSD: src/sys/security/audit/audit_syscalls.c,v 1.1.2.3 2006/09/20 17:0=
7:11 csjp Exp $
$FreeBSD: src/sys/security/audit/audit_trigger.c,v 1.3.2.1 2006/09/02 11:50=
:51 rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_worker.c,v 1.9.2.2 2006/09/20 17:07:=
11 csjp Exp $

=3D> if I did not miss an MFC, this should be the most recent audit version
available in RELENG_6.

The sources have the following patches applied:
	- unionfs6-p16.diff
	- fbsd6-ssp-propolice.patch
	- fbsd6-ssp-freebsd.patch
	- stackgap-20050527.diff
	- mmap_random-20050528.diff
Some slightly updated to apply cleanly. I plan to "undo" the local patches
tomorrow and check that out, although I can't see were those patches could
be responsible for the seen behaviour.

I am grateful for any pointers to what I did wrong or what I can do to get
more helpful information out of it. The box is in no productive use, I have
local and console access. Short of physical damage nearly everything is
possible.

	Joerg

PS: /etc/make.conf, kernel config and dmesg follow:

/etc/make.conf:

CPUTYPE?=3D                               ev56
CFLAGS=3D                                 -O -pipe ${BDECFLAGS}
COPTFLAGS=3D                              -O -pipe
MAKE_SHELL?=3D                            sh
WANT_FORCE_OPTIMIZATION_DOWNGRADE=3D      1
NO_IPFILTER=3D                            YES	(*)
KERNCONF=3D                               FORSETI
NO_MODULES=3D                             YES
MODULES_WITH_WORLD=3D                     YES
WITH_SSP=3D                               YES
ENABLE_SSP=3D                             YES

(*) buildworld broke once without this option but I haven't yet
figured out why exactly, so no PR yet.

kernel configuration:

#
# FORSETI -- Custom kernel configuration file for FreeBSD/alpha
#
# $FreeBSD: src/sys/alpha/conf/GENERIC,v 1.186.2.8 2006/07/13 08:11:46 delp=
hij Exp $

machine         alpha
cpu             EV5
ident           FORSETI
# Platforms supported
options         DEC_ST550               # Personal Workstation 433, 500, 600
#
options         SCHED_4BSD              # 4BSD scheduler
options         INET                    # InterNETworking
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big direct=
ories
options         CD9660                  # ISO 9660 Filesystem
options         COMPAT_43               # Compatible with BSD 4.3 [KEEP THI=
S!]
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         SCSI_DELAY=3D7500         # Delay (in ms) before probing SC=
SI
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time exte=
nsions
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.
# Standard busses
device          isa
device          pci
# Floppy drives
device          fdc
# SCSI Controllers
device          isp             # Qlogic family
device          ispfw           # Firmware module for Qlogic host adapters
device          sym             # NCR/Symbios Logic (newer chipsets + those=
 of `ncr')
# SCSI peripherals
device          scbus           # SCSI bus (required for SCSI)
device          da              # Direct Access (disks)
device          cd              # CD
device          pass            # Passthrough device (direct SCSI access)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          vga             # VGA video card driver
# syscons is the default console driver, resembling an SCO console
device          sc
#
device          mcclock         # MC146818 real time clock device
# Serial (COM) ports (required)
device          sio             # 8250, 16[45]50 based serial ports
# Parallel port
device          ppc
device          ppbus           # Parallel port bus (required)
device          lpt             # Printer
device          ppi             # Parallel port interface device
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          dc              # DEC/Intel 21143 and various workalikes
device          fxp             # Intel EtherExpress PRO/100B (82557, 82558)
device          rl              # RealTek 8129/8139
device          xl              # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Pseudo devices.
device          loop            # Network loopback
device          mem             # Memory and kernel memory devices
device          random          # Entropy device
device          ether           # Ethernet support
device          ppp             # Kernel PPP
device          tun             # Packet tunnel.
device          pty             # Pseudo-ttys (telnet etc)
device          md              # Memory "disks"
#
device          bpf             # Berkeley packet filter
# USB support
device          ohci            # OHCI PCI->USB interface
device          usb             # USB Bus (required)
device          ugen            # Generic
device          uhid            # "Human Interface Devices"
device          ukbd            # Keyboard
device          ulpt            # Printer
device          umass           # Disks/Mass storage - Requires scbus and da
#
maxusers        10
options         MAXDSIZ=3D(1024UL*1024*1024)
options         MAXSSIZ=3D(128UL*1024*1024)
options         DFLDSIZ=3D(1024UL*1024*1024)
options         PQ_CACHESIZE=3D2048       # color for 512k cache
options         GEOM_BSD                # BSD disklabels
options         GEOM_BDE                # Disk encryption.
options         GEOM_ELI                # Disk encryption.
options         GEOM_LABEL              # Providers labelization.
options         GEOM_MIRROR             # Disk mirroring.
options         GEOM_VOL                # Volume names from UFS superblock
options         FAST_IPSEC
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queueing
options         ALTQ_RED        # Random Early Detection
options         ALTQ_HFSC       # Hierarchical Packet Scheduler
options         ALTQ_PRIQ       # Priority Queueing
device          pf                      #PF OpenBSD packet-filter firewall
device          pflog                   #logging support interface for PF
device          pfsync                  #synchronization interface for PF
device          carp                    #Common Address Redundancy Protocol
device          vlan
options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_HTTP
options         TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN
options         TCP_SIGNATURE           #include support for RFC 2385
options         UNIONFS                 #Union filesystem
options         AUDIT
options         MAC
#options         MAC_BIBA
#options         MAC_BSDEXTENDED
#options         MAC_IFOFF
#options         MAC_LOMAC
#options         MAC_MLS
#options         MAC_PARTITION
#options         MAC_PORTACL
#options         MAC_SEEOTHERUIDS
device          uart
device          sound
device          snd_sbc
device          snd_ess
device          crypto          # core crypto support
device          cryptodev       # /dev/crypto for access to h/w
device          rndtest         # FIPS 140-2 entropy tester




dmesg:

Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 6.2-PRERELEASE #3: Thu Sep 21 23:32:20 CEST 2006
    elessar@forseti.starkstrom.lan:/usr/obj/usr/src/sys/FORSETI
Digital Personal Workstation (Miata)
Digital Personal WorkStation 500au, 500MHz
8192 byte page size, 1 processor.
CPU: EV56 (21164A) major=3D7 minor=3D0 extensions=3D0x1<BWX>
OSF PAL rev: 0x1000000020116
real memory  =3D 400711680 (382 MB)
avail memory =3D 384598016 (366 MB)
Security auditing service present
BSM auditing present
cia0: <2117x Core Logic chipset>
cia0: Pyxis, pass 1
cia0: extended capabilities: 1<BWEN>
pcib0: <2117x PCI host bus adapter> on cia0
pci0: <PCI bus> on pcib0
dc0: <Intel 21143 10/100BaseTX> port 0x9100-0x917f mem 0x80162100-0x8016217=
f irq 0 at device 3.0 on pci0
miibus0: <MII bus> on dc0
nsphy0: <DP83840 10/100 media interface> on miibus0
nsphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc0: Ethernet address: 00:00:f8:76:34:54
dc0: interrupting at CIA irq 0
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
pci0: <mass storage, ATA> at device 7.1 (no driver attached)
pci0: <mass storage, ATA> at device 7.2 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0x80161000-0x80161fff irq 234 at=
 device 7.3 on pci0
ohci0: interrupting at ISA irq 10
ohci0: [GIANT-LOCKED]
usb0: OHCI version 1.0, legacy support
usb0: <OHCI (generic) USB controller> on ohci0
usb0: USB revision 1.0
uhub0: (0x1080) OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
sym0: <875> port 0x9000-0x90ff mem 0x80162000-0x801620ff,0x80160000-0x80160=
fff irq 4 at device 11.0 on pci0
sym0: No NVRAM, ID 7, Fast-20, SE, parity checking
sym0: interrupting at CIA irq 4
sym0: [GIANT-LOCKED]
pcib1: <PCI-PCI bridge> at device 20.0 on pci0
pci1: <PCI bus> on pcib1
isp0: <Qlogic ISP 1020/1040 PCI SCSI Adapter> port 0x8000-0x80ff mem 0x8002=
4000-0x80024fff irq 3 at device 4.0
 on pci1
isp0: interrupting at CIA irq 3
isp0: [GIANT-LOCKED]
pci1: <display, VGA> at device 10.0 (no driver attached)
sbc0: <ESS ES1888> at port 0x220-0x22f irq 5 drq 1 on isa0
sbc0: interrupting at ISA irq 5
sbc0: [GIANT-LOCKED]
pcm0: <ESS 18xx DSP> on sbc0
pcm0: [GIANT-LOCKED]
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
atkbd0: interrupting at ISA irq 1
atkbd0: [GIANT-LOCKED]
fdc0: <Enhanced floppy controller> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on=
 isa0
fdc0: interrupting at ISA irq 6
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
mcclock0: <MC146818A real time clock> at port 0x70-0x71 on isa0
ppc0: <Parallel port> at port 0x3bc-0x3c3 irq 7 on isa0
ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Polled port
ppi0: <Parallel I/O> on ppbus0
ppc0: interrupting at ISA irq 7
sc0: <System console> on isa0
sc0: VGA <16 virtual consoles, flags=3D0x200>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio0: interrupting at ISA irq 4
sio1 at port 0x2f8-0x2ff irq 3 flags 0x80 on isa0
sio1: type 16550A
sio1: interrupting at ISA irq 3
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "i8254" frequency 1193182 Hz quality 0
Timecounter "alpha" frequency 500000000 Hz quality 800
Timecounters tick every 0.976 msec
Fast IPsec: Initialized Security Association Processing.
Waiting 7 seconds for SCSI devices to settle
da0 at isp0 bus 0 target 1 lun 0
da0: <COMPAQ MAB3045SC 0814> Fixed Direct Access SCSI-2 device=20
da0: 20.000MB/s transfers (10.000MHz, offset 8, 16bit), Tagged Queueing Ena=
bled
da0: 4094MB (8386000 512 byte sectors: 255H 63S/T 522C)
cd0 at sym0 bus 0 target 3 lun 0
cd0: <PLEXTOR CD-ROM PX-40TS 1j13> Removable CD-ROM SCSI-2 device=20
cd0: 20.000MB/s transfers (20.000MHz, offset 15)
cd0: Attempt to query device size failed: NOT READY, Medium not present - t=
ray closed
GEOM_LABEL: Label for provider da0a is ufs/root.
GEOM_LABEL: Label for provider da0d is ufs/tmp.
GEOM_LABEL: Label for provider da0e is ufs/var.
GEOM_LABEL: Label for provider da0f is ufs/usr.
Trying to mount root from ufs:/dev/ufs/root

--=20
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |

--Sig_NxVdag2BtnAfX0u5mRIrsVw
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFFEzNRH31s/bvKrSQRAlY6AJ91ytV32V1W5V1rDEh5JzqPRrysywCdFlgp
tekl+E2SlScABsrycNg+qRY=
=BUb5
-----END PGP SIGNATURE-----

--Sig_NxVdag2BtnAfX0u5mRIrsVw--

--DSPAM_MULTIPART_EX-24361
Content-Type: text/plain
X-DSPAM-Signature: 45133358243617229642248

!DSPAM:45133358243617229642248!
--DSPAM_MULTIPART_EX-24361--




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060922025016.6bc38025>