Running FreeBSD with auditing turned on, and flags and naflags both set to 'all' (in /etc/security/audit_control). I'm getting two very similar messages: BSM conversion requested for unknown event 43143 and BSM conversion requested for unknown event 43196 The first occurs whenever I ssh into the server (which succeeds), and the second crops up when doing ls -l. I and some coworkers have looked through the source, and it seems that both are occuring because syscalls are falling through in /sys/security/audit/audit_bsm.c (from the source). Neither number nor its label as defined in /etc/security/audit_event (43143=AUE_CLOSEFROM and 43196=AUE_LPATHCONF) show up in a search of audit_bsm.c. Fix: It seems that the source in /sys/security/audit/audit_bsm.c prints this message if an audit request falls through (to line 1585) in the big switch statement in the file. Perhaps it is missing these two cases. How-To-Repeat: Configure auditing as follows in /etc/security/audit_control: dir:/var/audit flags:all minfree:5 naflags:all policy:all filesz:2M expire-after:10M Turn on auditing by running '/etc/rc.d/auditd start'. Running 'ls -l' should give an error (43196), as should ssh-ing into the machine (43143).
Alright, I applied the patch and rebuilt the kernel. Preliminary testing shows that the problems are both fixed: we're no longer getting error messages with `ls -l` or with an ssh into the server. Thanks for the help! Ike
I seem to be having this error appearing on a new build of 8.3-RELEASE-p3. uname shows: FreeBSD freebsd83.domain 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012 root@amd-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 I'm getting the error for events 43145 and 43196. Thanks for any assistance. Peter DeVries devriesp@watershedsecurity.com
A commit references this bug: Author: brueffer Date: Mon Dec 14 13:38:06 UTC 2015 New revision: 292209 URL: https://svnweb.freebsd.org/changeset/base/292209 Log: MFH: r207615 by csjp Add a case to make sure that internal audit records get converted to BSM format for lpathconf(2) events. PR: 157946 Changes: _U stable/8/sys/ _U stable/8/sys/security/ stable/8/sys/security/audit/audit_bsm.c
Sorry this issue lingered for so long. Support for LPATHCONF was first added in 2010 (r207615), but never merged back to 8-STABLE. It is present in the 9, 10, and 11-HEAD branches. I have just merged it back to 8-STABLE for completeness sake. Thanks for the report!