On Sun, 17 Sep 2006 09:19:03 +0100 (BST) Robert Watson <[EMAIL PROTECTED]> wrote:
> Dear all,
>
> I've just comitted a fix to syscalls.master and regenerated the
> remaining system call files, which should correct the auditctl:
> Invalid Argument error being returned by auditd. In short order,
> this fix should be on the cvsup mirrors -- please let me know if it
> resolves the problem you were experiencing.
>
> Thanks,
Thank you for that quick fix Robert, but sadly I am still somewhat
at a loss.
The auditd does run now, but does not write back any audit data at all.
I have run at least three full buildworlds during the time you see
below, set flags, deleted things, logged in, logged out, logged in via
ssh to the external interface, ssh'ed to localhost. No gain.
/var/log/audit looks like this:
[EMAIL PROTECTED]: /home/elessar# ll /var/audit/
total 26
-r--r----- 1 root audit 0 20 Sep 18:05 20060920160547.20060920160856
-r--r----- 1 root audit 0 20 Sep 18:08 20060920160856.20060920161050
-r--r----- 1 root audit 0 20 Sep 18:10 20060920161050.20060920161154
-r--r----- 1 root audit 0 20 Sep 18:13 20060920161347.20060920161507
-r--r----- 1 root audit 0 20 Sep 18:19 20060920161903.20060920161936
-r--r----- 1 root audit 0 20 Sep 18:28 20060920162856.20060920162909
-r--r----- 1 root audit 0 20 Sep 18:33 20060920163322.20060920163817
-r--r----- 1 root audit 0 20 Sep 18:38 20060920163817.20060920164146
-r--r----- 1 root audit 0 20 Sep 18:41 20060920164146.20060920164920
-r--r----- 1 root audit 0 20 Sep 18:49 20060920164920.not_terminated
-r--r----- 1 root audit 0 20 Sep 18:51 20060920165153.20060920165243
-r--r----- 1 root audit 0 20 Sep 18:52 20060920165243.20060920165330
-r--r----- 1 root audit 0 20 Sep 18:53 20060920165330.20060920171512
-r--r----- 1 root audit 0 20 Sep 19:16 20060920171650.20060920175312
-r--r----- 1 root audit 0 20 Sep 19:55 20060920175539.20060921215850
-r--r----- 1 root audit 0 22 Sep 00:00 20060921220046.not_terminated
The old .not_terminated file is from me fiddling with the system.
That is the output from /var/log/security - first system startup, then
two `audit -n` -- everything seems to work fine.
Sep 22 00:00:46 forseti auditd[604]: starting...
Sep 22 00:00:46 forseti auditd[605]: dir = /var/audit
Sep 22 00:00:46 forseti auditd[605]: New audit file is /var/audit/\
20060921220046.not_terminated
Sep 22 00:00:46 forseti auditd[605]: min free = 20
Sep 22 00:00:46 forseti auditd[605]: Registered 434 event to class mappings.
Sep 22 00:00:46 forseti auditd[605]: Registered non-attributable event mask.
Sep 22 00:00:46 forseti auditd[605]: Audit controls init successful
Sep 22 00:04:05 forseti auditd[605]: wait_for_events: read 2
Sep 22 00:04:05 forseti auditd[605]: Got open new trigger
Sep 22 00:04:05 forseti auditd[605]: dir = /var/audit
Sep 22 00:04:05 forseti auditd[605]: New audit file is /var/audit/\
20060921220405.not_terminated
Sep 22 00:04:05 forseti auditd[605]: renamed /var/audit/20060921220046\
.not_terminated to /var/audit/ 20060921220046.20060921220405
Sep 22 00:05:26 forseti auditd[605]: wait_for_events: read 2
Sep 22 00:05:26 forseti auditd[605]: Got open new trigger
Sep 22 00:05:26 forseti auditd[605]: dir = /var/audit
Sep 22 00:05:26 forseti auditd[605]: New audit file is /var/audit/\
20060921220526.not_terminated
Sep 22 00:05:26 forseti auditd[605]: renamed /var/audit/20060921220405\
.not_terminated to /var/audit/ 20060921220405.20060921220526
Sep 22 00:06:16 forseti auditd[605]: wait_for_events: read 2
Sep 22 00:06:16 forseti auditd[605]: Got open new trigger
Sep 22 00:06:16 forseti auditd[605]: dir = /var/audit
Sep 22 00:06:16 forseti auditd[605]: New audit file is
/var/audit/20060921220616\
.not_terminated
Sep 22 00:06:16 forseti auditd[605]: renamed /var/audit/20060921220526\
.not_terminated to /var/audit/ 20060921220526.20060921220616
My audit_control file:
dir:/var/audit
flags:all
minfree:20
naflags:lo
My audit_user file:
root:all:no
elessar:all:no
From my understanding, this configuration should generate a ridiculous
amount of data and probably fill
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/ufs/var 253678 63308 170076 27% /var
up to the configured limit during a buildworld.
uname -a:
FreeBSD forseti.starkstrom.lan 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #3:
Thu Sep 21 23:32:20 CEST 2006 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/FORSETI
alpha
audit sourcefile versions:
$FreeBSD: src/sys/security/audit/audit.c,v 1.18.2.3 2006/09/20 17:07:11 csjp
Exp $
$FreeBSD: src/sys/security/audit/audit.h,v 1.8.2.2 2006/09/04 06:07:51 rwatson
Exp $
$FreeBSD: src/sys/security/audit/audit_arg.c,v 1.6.2.1 2006/09/02 11:50:50
rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_bsm.c,v 1.10.2.3 2006/09/20 17:04:04
csjp Exp $
$FreeBSD: src/sys/security/audit/audit_bsm_klib.c,v 1.4.2.1 2006/09/02 11:50:50
rwatson Exp $
$P4: //depot/projects/trustedbsd/audit3/sys/security/audit/audit_bsm_token.c#23
$
$FreeBSD: src/sys/security/audit/audit_bsm_token.c,v 1.7.2.1 2006/09/02
11:50:50 rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_ioctl.h,v 1.4.2.1 2006/09/02 11:50:50
rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_pipe.c,v 1.9.2.1 2006/09/02 11:50:51
rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_private.h,v 1.10.2.2 2006/09/20 17:07:11
csjp Exp $
$FreeBSD: src/sys/security/audit/audit_syscalls.c,v 1.1.2.3 2006/09/20 17:07:11
csjp Exp $
$FreeBSD: src/sys/security/audit/audit_trigger.c,v 1.3.2.1 2006/09/02 11:50:51
rwatson Exp $
$FreeBSD: src/sys/security/audit/audit_worker.c,v 1.9.2.2 2006/09/20 17:07:11
csjp Exp $
=> if I did not miss an MFC, this should be the most recent audit version
available in RELENG_6.
The sources have the following patches applied:
- unionfs6-p16.diff
- fbsd6-ssp-propolice.patch
- fbsd6-ssp-freebsd.patch
- stackgap-20050527.diff
- mmap_random-20050528.diff
Some slightly updated to apply cleanly. I plan to "undo" the local patches
tomorrow and check that out, although I can't see were those patches could
be responsible for the seen behaviour.
I am grateful for any pointers to what I did wrong or what I can do to get
more helpful information out of it. The box is in no productive use, I have
local and console access. Short of physical damage nearly everything is
possible.
Joerg
PS: /etc/make.conf, kernel config and dmesg follow:
/etc/make.conf:
CPUTYPE?= ev56
CFLAGS= -O -pipe ${BDECFLAGS}
COPTFLAGS= -O -pipe
MAKE_SHELL?= sh
WANT_FORCE_OPTIMIZATION_DOWNGRADE= 1
NO_IPFILTER= YES (*)
KERNCONF= FORSETI
NO_MODULES= YES
MODULES_WITH_WORLD= YES
WITH_SSP= YES
ENABLE_SSP= YES
(*) buildworld broke once without this option but I haven't yet
figured out why exactly, so no PR yet.
kernel configuration:
#
# FORSETI -- Custom kernel configuration file for FreeBSD/alpha
#
# $FreeBSD: src/sys/alpha/conf/GENERIC,v 1.186.2.8 2006/07/13 08:11:46 delphij
Exp $
machine alpha
cpu EV5
ident FORSETI
# Platforms supported
options DEC_ST550 # Personal Workstation 433, 500, 600
#
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options CD9660 # ISO 9660 Filesystem
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=7500 # Delay (in ms) before probing SCSI
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options ADAPTIVE_GIANT # Giant mutex is adaptive.
# Standard busses
device isa
device pci
# Floppy drives
device fdc
# SCSI Controllers
device isp # Qlogic family
device ispfw # Firmware module for Qlogic host adapters
device sym # NCR/Symbios Logic (newer chipsets + those of
`ncr')
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct SCSI access)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device vga # VGA video card driver
# syscons is the default console driver, resembling an SCO console
device sc
#
device mcclock # MC146818 real time clock device
# Serial (COM) ports (required)
device sio # 8250, 16[45]50 based serial ports
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device ppi # Parallel port interface device
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device dc # DEC/Intel 21143 and various workalikes
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
device rl # RealTek 8129/8139
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# Pseudo devices.
device loop # Network loopback
device mem # Memory and kernel memory devices
device random # Entropy device
device ether # Ethernet support
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
#
device bpf # Berkeley packet filter
# USB support
device ohci # OHCI PCI->USB interface
device usb # USB Bus (required)
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
#
maxusers 10
options MAXDSIZ=(1024UL*1024*1024)
options MAXSSIZ=(128UL*1024*1024)
options DFLDSIZ=(1024UL*1024*1024)
options PQ_CACHESIZE=2048 # color for 512k cache
options GEOM_BSD # BSD disklabels
options GEOM_BDE # Disk encryption.
options GEOM_ELI # Disk encryption.
options GEOM_LABEL # Providers labelization.
options GEOM_MIRROR # Disk mirroring.
options GEOM_VOL # Volume names from UFS superblock
options FAST_IPSEC
options ALTQ
options ALTQ_CBQ # Class Bases Queueing
options ALTQ_RED # Random Early Detection
options ALTQ_HFSC # Hierarchical Packet Scheduler
options ALTQ_PRIQ # Priority Queueing
device pf #PF OpenBSD packet-filter firewall
device pflog #logging support interface for PF
device pfsync #synchronization interface for PF
device carp #Common Address Redundancy Protocol
device vlan
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
options TCP_SIGNATURE #include support for RFC 2385
options UNIONFS #Union filesystem
options AUDIT
options MAC
#options MAC_BIBA
#options MAC_BSDEXTENDED
#options MAC_IFOFF
#options MAC_LOMAC
#options MAC_MLS
#options MAC_PARTITION
#options MAC_PORTACL
#options MAC_SEEOTHERUIDS
device uart
device sound
device snd_sbc
device snd_ess
device crypto # core crypto support
device cryptodev # /dev/crypto for access to h/w
device rndtest # FIPS 140-2 entropy tester
dmesg:
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.2-PRERELEASE #3: Thu Sep 21 23:32:20 CEST 2006
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/FORSETI
Digital Personal Workstation (Miata)
Digital Personal WorkStation 500au, 500MHz
8192 byte page size, 1 processor.
CPU: EV56 (21164A) major=7 minor=0 extensions=0x1<BWX>
OSF PAL rev: 0x1000000020116
real memory = 400711680 (382 MB)
avail memory = 384598016 (366 MB)
Security auditing service present
BSM auditing present
cia0: <2117x Core Logic chipset>
cia0: Pyxis, pass 1
cia0: extended capabilities: 1<BWEN>
pcib0: <2117x PCI host bus adapter> on cia0
pci0: <PCI bus> on pcib0
dc0: <Intel 21143 10/100BaseTX> port 0x9100-0x917f mem 0x80162100-0x8016217f
irq 0 at device 3.0 on pci0
miibus0: <MII bus> on dc0
nsphy0: <DP83840 10/100 media interface> on miibus0
nsphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc0: Ethernet address: 00:00:f8:76:34:54
dc0: interrupting at CIA irq 0
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
pci0: <mass storage, ATA> at device 7.1 (no driver attached)
pci0: <mass storage, ATA> at device 7.2 (no driver attached)
ohci0: <OHCI (generic) USB controller> mem 0x80161000-0x80161fff irq 234 at
device 7.3 on pci0
ohci0: interrupting at ISA irq 10
ohci0: [GIANT-LOCKED]
usb0: OHCI version 1.0, legacy support
usb0: <OHCI (generic) USB controller> on ohci0
usb0: USB revision 1.0
uhub0: (0x1080) OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
sym0: <875> port 0x9000-0x90ff mem 0x80162000-0x801620ff,0x80160000-0x80160fff
irq 4 at device 11.0 on pci0
sym0: No NVRAM, ID 7, Fast-20, SE, parity checking
sym0: interrupting at CIA irq 4
sym0: [GIANT-LOCKED]
pcib1: <PCI-PCI bridge> at device 20.0 on pci0
pci1: <PCI bus> on pcib1
isp0: <Qlogic ISP 1020/1040 PCI SCSI Adapter> port 0x8000-0x80ff mem
0x80024000-0x80024fff irq 3 at device 4.0
on pci1
isp0: interrupting at CIA irq 3
isp0: [GIANT-LOCKED]
pci1: <display, VGA> at device 10.0 (no driver attached)
sbc0: <ESS ES1888> at port 0x220-0x22f irq 5 drq 1 on isa0
sbc0: interrupting at ISA irq 5
sbc0: [GIANT-LOCKED]
pcm0: <ESS 18xx DSP> on sbc0
pcm0: [GIANT-LOCKED]
atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
atkbd0: interrupting at ISA irq 1
atkbd0: [GIANT-LOCKED]
fdc0: <Enhanced floppy controller> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
fdc0: interrupting at ISA irq 6
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
mcclock0: <MC146818A real time clock> at port 0x70-0x71 on isa0
ppc0: <Parallel port> at port 0x3bc-0x3c3 irq 7 on isa0
ppc0: Generic chipset (EPP/NIBBLE) in COMPATIBLE mode
ppbus0: <Parallel port bus> on ppc0
lpt0: <Printer> on ppbus0
lpt0: Polled port
ppi0: <Parallel I/O> on ppbus0
ppc0: interrupting at ISA irq 7
sc0: <System console> on isa0
sc0: VGA <16 virtual consoles, flags=0x200>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio0: interrupting at ISA irq 4
sio1 at port 0x2f8-0x2ff irq 3 flags 0x80 on isa0
sio1: type 16550A
sio1: interrupting at ISA irq 3
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "i8254" frequency 1193182 Hz quality 0
Timecounter "alpha" frequency 500000000 Hz quality 800
Timecounters tick every 0.976 msec
Fast IPsec: Initialized Security Association Processing.
Waiting 7 seconds for SCSI devices to settle
da0 at isp0 bus 0 target 1 lun 0
da0: <COMPAQ MAB3045SC 0814> Fixed Direct Access SCSI-2 device
da0: 20.000MB/s transfers (10.000MHz, offset 8, 16bit), Tagged Queueing Enabled
da0: 4094MB (8386000 512 byte sectors: 255H 63S/T 522C)
cd0 at sym0 bus 0 target 3 lun 0
cd0: <PLEXTOR CD-ROM PX-40TS 1j13> Removable CD-ROM SCSI-2 device
cd0: 20.000MB/s transfers (20.000MHz, offset 15)
cd0: Attempt to query device size failed: NOT READY, Medium not present - tray
closed
GEOM_LABEL: Label for provider da0a is ufs/root.
GEOM_LABEL: Label for provider da0d is ufs/tmp.
GEOM_LABEL: Label for provider da0e is ufs/var.
GEOM_LABEL: Label for provider da0f is ufs/usr.
Trying to mount root from ufs:/dev/ufs/root
--
| /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
| X HTML in email | .the next sentence is true. |
| / \ and news | .the previous sentence was a lie. |
signature.asc
Description: PGP signature
!DSPAM:45133358243617229642248!
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
