Bug 157946 - [openbsm] [patch] 'BSM conversion requested for unknown event' generated by audit
Summary: [openbsm] [patch] 'BSM conversion requested for unknown event' generated by a...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: Unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-17 14:10 UTC by Ike McCreery
Modified: 2020-07-17 07:41 UTC (History)
1 user (show)

See Also:

Attachments
patch_a.diff (589 bytes, patch)
2011-06-17 21:43 UTC, Efstratios Karatzas <gpf.kira@gmail.com> 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ike McCreery 2011-06-17 14:10:09 UTC 
Running FreeBSD with auditing turned on, and flags and naflags both set
to 'all' (in /etc/security/audit_control).  I'm getting two very similar
messages:

   BSM conversion requested for unknown event 43143

and

   BSM conversion requested for unknown event 43196

The first occurs whenever I ssh into the server (which succeeds), and
the second crops up when doing ls -l.  I and some coworkers have looked
through the source, and it seems that both are occuring because syscalls
are falling through in /sys/security/audit/audit_bsm.c (from the source).
Neither number nor its label as defined in /etc/security/audit_event
(43143=AUE_CLOSEFROM and 43196=AUE_LPATHCONF) show up in a search of
audit_bsm.c.

Fix: 

It seems that the source in /sys/security/audit/audit_bsm.c prints this
message if an audit request falls through (to line 1585) in the big switch
statement in the file.  Perhaps it is missing these two cases.
How-To-Repeat: Configure auditing as follows in /etc/security/audit_control:

dir:/var/audit
flags:all
minfree:5
naflags:all
policy:all
filesz:2M
expire-after:10M

Turn on auditing by running '/etc/rc.d/auditd start'.

Running 'ls -l' should give an error (43196), as should ssh-ing into
the machine (43143).
Comment 1 Ike McCreery 2011-06-22 14:31:43 UTC 
Alright,

I applied the patch and rebuilt the kernel.  Preliminary testing shows that
the problems are both fixed: we're no longer getting error messages with `ls
-l` or with an ssh into the server.

Thanks for the help!
Ike
Comment 2 devriesp 2012-07-23 13:12:46 UTC 
I seem to be having this error appearing on a new build of 8.3-RELEASE-p3.

uname shows:

FreeBSD freebsd83.domain 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012    root@amd-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

I'm getting the error for events 43145 and 43196.

Thanks for any assistance.

Peter DeVries
devriesp@watershedsecurity.com
Comment 3 commit-hook freebsd_committer freebsd_triage 2015-12-14 13:38:24 UTC 
A commit references this bug:

Author: brueffer
Date: Mon Dec 14 13:38:06 UTC 2015
New revision: 292209
URL: https://svnweb.freebsd.org/changeset/base/292209

Log:
  MFH: r207615 by csjp

  Add a case to make sure that internal audit records get converted
  to BSM format for lpathconf(2) events.

  PR:		157946

Changes:
_U  stable/8/sys/
_U  stable/8/sys/security/
  stable/8/sys/security/audit/audit_bsm.c
Comment 4 Christian Brueffer freebsd_committer freebsd_triage 2015-12-14 13:41:07 UTC 
Sorry this issue lingered for so long.  Support for LPATHCONF was first added in 2010 (r207615), but never merged back to 8-STABLE.  It is present in the 9, 10, and 11-HEAD branches.  I have just merged it back to 8-STABLE for completeness sake. Thanks for the report!