From owner-freebsd-stable@FreeBSD.ORG Fri Sep 22 00:50:35 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7A5816A492 for ; Fri, 22 Sep 2006 00:50:35 +0000 (UTC) (envelope-from elessar@bsdforen.de) Received: from fix.bsdforen.de (bsdforen.de [212.204.60.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06A0E43D45 for ; Fri, 22 Sep 2006 00:50:33 +0000 (GMT) (envelope-from elessar@bsdforen.de) Received: by fix.bsdforen.de (Postfix, from userid 20000) id CF8D844A42C; Fri, 22 Sep 2006 02:50:32 +0200 (CEST) Received: from localhost (localhost [127.0.0.2]) by fix.bsdforen.de (Postfix) with ESMTP id E924844A411; Fri, 22 Sep 2006 02:50:28 +0200 (CEST) X-Virus-Scanned: amavisd-new at bsdforen.de Received: from fix.bsdforen.de ([127.0.0.2]) by localhost (fix.bsdforen.de [127.0.0.2]) (amavisd-new, port 10024) with LMTP id uRGveqr4LHu4; Fri, 22 Sep 2006 02:50:28 +0200 (CEST) Received: from loki.starkstrom.lan (p54A4603C.dip.t-dialin.net [84.164.96.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fix.bsdforen.de (Postfix) with ESMTP id 04BD344A410; Fri, 22 Sep 2006 02:50:26 +0200 (CEST) Date: Fri, 22 Sep 2006 02:50:16 +0200 From: Joerg Pernfuss To: stable@FreeBSD.org Message-ID: <20060922025016.6bc38025@loki.starkstrom.lan> In-Reply-To: <20060917091750.T74654@fledge.watson.org> References: <20060917091750.T74654@fledge.watson.org> X-Mailer: Sylpheed-Claws 2.2.3 (GTK+ 2.8.9; i386-portbld-freebsd6.1) Mime-Version: 1.0 X-DSPAM-Result: Whitelisted X-DSPAM-Processed: Fri Sep 22 02:50:32 2006 X-DSPAM-Confidence: 0.9987 X-DSPAM-Probability: 0.0000 X-DSPAM-Signature: 45133358243617229642248 Content-Type: multipart/mixed; boundary=DSPAM_MULTIPART_EX-24361 Cc: Robert Watson Subject: Re: Problems with auditd -- resolved X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Sep 2006 00:50:35 -0000 --DSPAM_MULTIPART_EX-24361 Content-Type: multipart/signed; boundary=Sig_NxVdag2BtnAfX0u5mRIrsVw; protocol="application/pgp-signature"; micalg=PGP-SHA1 --Sig_NxVdag2BtnAfX0u5mRIrsVw Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 17 Sep 2006 09:19:03 +0100 (BST) Robert Watson wrote: > Dear all, >=20 > I've just comitted a fix to syscalls.master and regenerated the > remaining system call files, which should correct the auditctl: > Invalid Argument error being returned by auditd. In short order, > this fix should be on the cvsup mirrors -- please let me know if it > resolves the problem you were experiencing. >=20 > Thanks, Thank you for that quick fix Robert, but sadly I am still somewhat at a loss. The auditd does run now, but does not write back any audit data at all. I have run at least three full buildworlds during the time you see below, set flags, deleted things, logged in, logged out, logged in via ssh to the external interface, ssh'ed to localhost. No gain. /var/log/audit looks like this: elessar@forseti: /home/elessar# ll /var/audit/ total 26 -r--r----- 1 root audit 0 20 Sep 18:05 20060920160547.20060920160856 -r--r----- 1 root audit 0 20 Sep 18:08 20060920160856.20060920161050 -r--r----- 1 root audit 0 20 Sep 18:10 20060920161050.20060920161154 -r--r----- 1 root audit 0 20 Sep 18:13 20060920161347.20060920161507 -r--r----- 1 root audit 0 20 Sep 18:19 20060920161903.20060920161936 -r--r----- 1 root audit 0 20 Sep 18:28 20060920162856.20060920162909 -r--r----- 1 root audit 0 20 Sep 18:33 20060920163322.20060920163817 -r--r----- 1 root audit 0 20 Sep 18:38 20060920163817.20060920164146 -r--r----- 1 root audit 0 20 Sep 18:41 20060920164146.20060920164920 -r--r----- 1 root audit 0 20 Sep 18:49 20060920164920.not_terminated -r--r----- 1 root audit 0 20 Sep 18:51 20060920165153.20060920165243 -r--r----- 1 root audit 0 20 Sep 18:52 20060920165243.20060920165330 -r--r----- 1 root audit 0 20 Sep 18:53 20060920165330.20060920171512 -r--r----- 1 root audit 0 20 Sep 19:16 20060920171650.20060920175312 -r--r----- 1 root audit 0 20 Sep 19:55 20060920175539.20060921215850 -r--r----- 1 root audit 0 22 Sep 00:00 20060921220046.not_terminated The old .not_terminated file is from me fiddling with the system. That is the output from /var/log/security - first system startup, then two `audit -n` -- everything seems to work fine. Sep 22 00:00:46 forseti auditd[604]: starting... Sep 22 00:00:46 forseti auditd[605]: dir =3D /var/audit Sep 22 00:00:46 forseti auditd[605]: New audit file is /var/audit/\ 20060921220046.not_terminated Sep 22 00:00:46 forseti auditd[605]: min free =3D 20 Sep 22 00:00:46 forseti auditd[605]: Registered 434 event to class mappings. Sep 22 00:00:46 forseti auditd[605]: Registered non-attributable event mask. Sep 22 00:00:46 forseti auditd[605]: Audit controls init successful Sep 22 00:04:05 forseti auditd[605]: wait_for_events: read 2 Sep 22 00:04:05 forseti auditd[605]: Got open new trigger Sep 22 00:04:05 forseti auditd[605]: dir =3D /var/audit Sep 22 00:04:05 forseti auditd[605]: New audit file is /var/audit/\ 20060921220405.not_terminated Sep 22 00:04:05 forseti auditd[605]: renamed /var/audit/20060921220046\ .not_terminated to /var/audit/ 20060921220046.20060921220405 Sep 22 00:05:26 forseti auditd[605]: wait_for_events: read 2 Sep 22 00:05:26 forseti auditd[605]: Got open new trigger Sep 22 00:05:26 forseti auditd[605]: dir =3D /var/audit Sep 22 00:05:26 forseti auditd[605]: New audit file is /var/audit/\ 20060921220526.not_terminated Sep 22 00:05:26 forseti auditd[605]: renamed /var/audit/20060921220405\ .not_terminated to /var/audit/ 20060921220405.20060921220526 Sep 22 00:06:16 forseti auditd[605]: wait_for_events: read 2 Sep 22 00:06:16 forseti auditd[605]: Got open new trigger Sep 22 00:06:16 forseti auditd[605]: dir =3D /var/audit Sep 22 00:06:16 forseti auditd[605]: New audit file is /var/audit/200609212= 20616\ .not_terminated Sep 22 00:06:16 forseti auditd[605]: renamed /var/audit/20060921220526\ .not_terminated to /var/audit/ 20060921220526.20060921220616 My audit_control file: dir:/var/audit flags:all minfree:20 naflags:lo My audit_user file: root:all:no elessar:all:no =46rom my understanding, this configuration should generate a ridiculous amount of data and probably fill Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/ufs/var 253678 63308 170076 27% /var up to the configured limit during a buildworld. uname -a: FreeBSD forseti.starkstrom.lan 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #3: Thu Sep 21 23:32:20 CEST 2006 elessar@forseti.starkstrom.lan:/usr/obj/usr/s= rc/sys/FORSETI alpha audit sourcefile versions: $FreeBSD: src/sys/security/audit/audit.c,v 1.18.2.3 2006/09/20 17:07:11 csj= p Exp $ $FreeBSD: src/sys/security/audit/audit.h,v 1.8.2.2 2006/09/04 06:07:51 rwat= son Exp $ $FreeBSD: src/sys/security/audit/audit_arg.c,v 1.6.2.1 2006/09/02 11:50:50 = rwatson Exp $ $FreeBSD: src/sys/security/audit/audit_bsm.c,v 1.10.2.3 2006/09/20 17:04:04= csjp Exp $ $FreeBSD: src/sys/security/audit/audit_bsm_klib.c,v 1.4.2.1 2006/09/02 11:5= 0:50 rwatson Exp $ $P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.= c#23 $ $FreeBSD: src/sys/security/audit/audit_bsm_token.c,v 1.7.2.1 2006/09/02 11:= 50:50 rwatson Exp $ $FreeBSD: src/sys/security/audit/audit_ioctl.h,v 1.4.2.1 2006/09/02 11:50:5= 0 rwatson Exp $ $FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.9.2.1 2006/09/02 11:50:51= rwatson Exp $ $FreeBSD: src/sys/security/audit/audit_private.h,v 1.10.2.2 2006/09/20 17:0= 7:11 csjp Exp $ $FreeBSD: src/sys/security/audit/audit_syscalls.c,v 1.1.2.3 2006/09/20 17:0= 7:11 csjp Exp $ $FreeBSD: src/sys/security/audit/audit_trigger.c,v 1.3.2.1 2006/09/02 11:50= :51 rwatson Exp $ $FreeBSD: src/sys/security/audit/audit_worker.c,v 1.9.2.2 2006/09/20 17:07:= 11 csjp Exp $ =3D> if I did not miss an MFC, this should be the most recent audit version available in RELENG_6. The sources have the following patches applied: - unionfs6-p16.diff - fbsd6-ssp-propolice.patch - fbsd6-ssp-freebsd.patch - stackgap-20050527.diff - mmap_random-20050528.diff Some slightly updated to apply cleanly. I plan to "undo" the local patches tomorrow and check that out, although I can't see were those patches could be responsible for the seen behaviour. I am grateful for any pointers to what I did wrong or what I can do to get more helpful information out of it. The box is in no productive use, I have local and console access. Short of physical damage nearly everything is possible. Joerg PS: /etc/make.conf, kernel config and dmesg follow: /etc/make.conf: CPUTYPE?=3D ev56 CFLAGS=3D -O -pipe ${BDECFLAGS} COPTFLAGS=3D -O -pipe MAKE_SHELL?=3D sh WANT_FORCE_OPTIMIZATION_DOWNGRADE=3D 1 NO_IPFILTER=3D YES (*) KERNCONF=3D FORSETI NO_MODULES=3D YES MODULES_WITH_WORLD=3D YES WITH_SSP=3D YES ENABLE_SSP=3D YES (*) buildworld broke once without this option but I haven't yet figured out why exactly, so no PR yet. kernel configuration: # # FORSETI -- Custom kernel configuration file for FreeBSD/alpha # # $FreeBSD: src/sys/alpha/conf/GENERIC,v 1.186.2.8 2006/07/13 08:11:46 delp= hij Exp $ machine alpha cpu EV5 ident FORSETI # Platforms supported options DEC_ST550 # Personal Workstation 433, 500, 600 # options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big direct= ories options CD9660 # ISO 9660 Filesystem options COMPAT_43 # Compatible with BSD 4.3 [KEEP THI= S!] options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options SCSI_DELAY=3D7500 # Delay (in ms) before probing SC= SI options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time exte= nsions options ADAPTIVE_GIANT # Giant mutex is adaptive. # Standard busses device isa device pci # Floppy drives device fdc # SCSI Controllers device isp # Qlogic family device ispfw # Firmware module for Qlogic host adapters device sym # NCR/Symbios Logic (newer chipsets + those= of `ncr') # SCSI peripherals device scbus # SCSI bus (required for SCSI) device da # Direct Access (disks) device cd # CD device pass # Passthrough device (direct SCSI access) # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device vga # VGA video card driver # syscons is the default console driver, resembling an SCO console device sc # device mcclock # MC146818 real time clock device # Serial (COM) ports (required) device sio # 8250, 16[45]50 based serial ports # Parallel port device ppc device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device fxp # Intel EtherExpress PRO/100B (82557, 82558) device rl # RealTek 8129/8139 device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Pseudo devices. device loop # Network loopback device mem # Memory and kernel memory devices device random # Entropy device device ether # Ethernet support device ppp # Kernel PPP device tun # Packet tunnel. device pty # Pseudo-ttys (telnet etc) device md # Memory "disks" # device bpf # Berkeley packet filter # USB support device ohci # OHCI PCI->USB interface device usb # USB Bus (required) device ugen # Generic device uhid # "Human Interface Devices" device ukbd # Keyboard device ulpt # Printer device umass # Disks/Mass storage - Requires scbus and da # maxusers 10 options MAXDSIZ=3D(1024UL*1024*1024) options MAXSSIZ=3D(128UL*1024*1024) options DFLDSIZ=3D(1024UL*1024*1024) options PQ_CACHESIZE=3D2048 # color for 512k cache options GEOM_BSD # BSD disklabels options GEOM_BDE # Disk encryption. options GEOM_ELI # Disk encryption. options GEOM_LABEL # Providers labelization. options GEOM_MIRROR # Disk mirroring. options GEOM_VOL # Volume names from UFS superblock options FAST_IPSEC options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Detection options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_PRIQ # Priority Queueing device pf #PF OpenBSD packet-filter firewall device pflog #logging support interface for PF device pfsync #synchronization interface for PF device carp #Common Address Redundancy Protocol device vlan options ACCEPT_FILTER_DATA options ACCEPT_FILTER_HTTP options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN options TCP_SIGNATURE #include support for RFC 2385 options UNIONFS #Union filesystem options AUDIT options MAC #options MAC_BIBA #options MAC_BSDEXTENDED #options MAC_IFOFF #options MAC_LOMAC #options MAC_MLS #options MAC_PARTITION #options MAC_PORTACL #options MAC_SEEOTHERUIDS device uart device sound device snd_sbc device snd_ess device crypto # core crypto support device cryptodev # /dev/crypto for access to h/w device rndtest # FIPS 140-2 entropy tester dmesg: Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.2-PRERELEASE #3: Thu Sep 21 23:32:20 CEST 2006 elessar@forseti.starkstrom.lan:/usr/obj/usr/src/sys/FORSETI Digital Personal Workstation (Miata) Digital Personal WorkStation 500au, 500MHz 8192 byte page size, 1 processor. CPU: EV56 (21164A) major=3D7 minor=3D0 extensions=3D0x1 OSF PAL rev: 0x1000000020116 real memory =3D 400711680 (382 MB) avail memory =3D 384598016 (366 MB) Security auditing service present BSM auditing present cia0: <2117x Core Logic chipset> cia0: Pyxis, pass 1 cia0: extended capabilities: 1 pcib0: <2117x PCI host bus adapter> on cia0 pci0: on pcib0 dc0: port 0x9100-0x917f mem 0x80162100-0x8016217= f irq 0 at device 3.0 on pci0 miibus0: on dc0 nsphy0: on miibus0 nsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto dc0: Ethernet address: 00:00:f8:76:34:54 dc0: interrupting at CIA irq 0 isab0: at device 7.0 on pci0 isa0: on isab0 pci0: at device 7.1 (no driver attached) pci0: at device 7.2 (no driver attached) ohci0: mem 0x80161000-0x80161fff irq 234 at= device 7.3 on pci0 ohci0: interrupting at ISA irq 10 ohci0: [GIANT-LOCKED] usb0: OHCI version 1.0, legacy support usb0: on ohci0 usb0: USB revision 1.0 uhub0: (0x1080) OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered sym0: <875> port 0x9000-0x90ff mem 0x80162000-0x801620ff,0x80160000-0x80160= fff irq 4 at device 11.0 on pci0 sym0: No NVRAM, ID 7, Fast-20, SE, parity checking sym0: interrupting at CIA irq 4 sym0: [GIANT-LOCKED] pcib1: at device 20.0 on pci0 pci1: on pcib1 isp0: port 0x8000-0x80ff mem 0x8002= 4000-0x80024fff irq 3 at device 4.0 on pci1 isp0: interrupting at CIA irq 3 isp0: [GIANT-LOCKED] pci1: at device 10.0 (no driver attached) sbc0: at port 0x220-0x22f irq 5 drq 1 on isa0 sbc0: interrupting at ISA irq 5 sbc0: [GIANT-LOCKED] pcm0: on sbc0 pcm0: [GIANT-LOCKED] atkbdc0: at port 0x60,0x64 on isa0 atkbd0: irq 1 on atkbdc0 atkbd0: interrupting at ISA irq 1 atkbd0: [GIANT-LOCKED] fdc0: at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on= isa0 fdc0: interrupting at ISA irq 6 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 mcclock0: at port 0x70-0x71 on isa0 ppc0: at port 0x3bc-0x3c3 irq 7 on isa0 ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode ppbus0: on ppc0 lpt0: on ppbus0 lpt0: Polled port ppi0: on ppbus0 ppc0: interrupting at ISA irq 7 sc0: on isa0 sc0: VGA <16 virtual consoles, flags=3D0x200> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A sio0: interrupting at ISA irq 4 sio1 at port 0x2f8-0x2ff irq 3 flags 0x80 on isa0 sio1: type 16550A sio1: interrupting at ISA irq 3 vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "i8254" frequency 1193182 Hz quality 0 Timecounter "alpha" frequency 500000000 Hz quality 800 Timecounters tick every 0.976 msec Fast IPsec: Initialized Security Association Processing. Waiting 7 seconds for SCSI devices to settle da0 at isp0 bus 0 target 1 lun 0 da0: Fixed Direct Access SCSI-2 device=20 da0: 20.000MB/s transfers (10.000MHz, offset 8, 16bit), Tagged Queueing Ena= bled da0: 4094MB (8386000 512 byte sectors: 255H 63S/T 522C) cd0 at sym0 bus 0 target 3 lun 0 cd0: Removable CD-ROM SCSI-2 device=20 cd0: 20.000MB/s transfers (20.000MHz, offset 15) cd0: Attempt to query device size failed: NOT READY, Medium not present - t= ray closed GEOM_LABEL: Label for provider da0a is ufs/root. GEOM_LABEL: Label for provider da0d is ufs/tmp. GEOM_LABEL: Label for provider da0e is ufs/var. GEOM_LABEL: Label for provider da0f is ufs/usr. Trying to mount root from ufs:/dev/ufs/root --=20 | /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a | | \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 | | X HTML in email | .the next sentence is true. | | / \ and news | .the previous sentence was a lie. | --Sig_NxVdag2BtnAfX0u5mRIrsVw Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFEzNRH31s/bvKrSQRAlY6AJ91ytV32V1W5V1rDEh5JzqPRrysywCdFlgp tekl+E2SlScABsrycNg+qRY= =BUb5 -----END PGP SIGNATURE----- --Sig_NxVdag2BtnAfX0u5mRIrsVw-- --DSPAM_MULTIPART_EX-24361 Content-Type: text/plain X-DSPAM-Signature: 45133358243617229642248 !DSPAM:45133358243617229642248! --DSPAM_MULTIPART_EX-24361--