Bug 240762 - [auditdistd] cannot receive trail files from servers running auditd on FreeBSD12
Summary: [auditdistd] cannot receive trail files from servers running auditd on FreeBSD12
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 12.0-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-23 08:50 UTC by johan.sollvander
Modified: 2020-01-15 16:13 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description johan.sollvander 2019-09-23 08:50:59 UTC
After upgrading a server running auditd to FreeBSD12 (from FreeBSD 11.2) we noticed that trail files now have a dot (.) appended to the filename, which our auditdistd receiver thinks is an invalid trail name.

Logs from our receiver:
(receiver) Sender wants to open file "20190920080142.20190920080929.", which has invalid name.
(receiver) Request failed: (seq=3) OPEN(20190920080142.20190920080929.): invalid trail file name.
(receiver) Sender requested append without first opening file.
(receiver) Request failed: (seq=4) APPEND(2646): wrong operations order.
(receiver) Sender requested closing file without first opening it.
(receiver) Request failed: (seq=5) CLOSE(20190920080142.20190920080929.): wrong operations order.
(receiver) Unable to receive request header: Socket is not connected.

Logs from our sender:
(sender) Termination signal received, exiting.
(sender) Receiver returned error (invalid trail file name), disconnecting.
(sender) Disconnected from 172.22.239.16.


I've tested upgrading the receiver to FreeBSD 12 as well but that doesn't seem to fix the issue.

I also found this thread reporting the same issue:
https://forums.freebsd.org/threads/auditd-on-freebsd-12-0-release-problem.69686/
Comment 1 Gordon Bergling 2020-01-07 13:56:30 UTC
I can reproduce this on a recent 12.1-STABLE.

root        audit   56 Nov 18 18:23 20191118172312.20191118172312.
root        audit   56 Jan  7 14:44 20200107134414.not_terminated.

My initial direction was the C macro getTSstr, which is defined in contrib/openbsm/bsm/auditd_lib.h:46. But after I saw that the dot is also appended after "not_terminated" that problem must be located somewhere else.
Comment 2 Gordon Bergling 2020-01-07 14:00:55 UTC
I can reproduce this on a recent 12.1-STABLE.

root        audit   56 Nov 18 18:23 20191118172312.20191118172312.
root        audit   56 Jan  7 14:44 20200107134414.not_terminated.

My initial direction was the C macro getTSstr, which is defined in contrib/openbsm/bsm/auditd_lib.h:46. But after I saw that the dot is also appended after "not_terminated" that problem must be located somewhere else.
Comment 3 Gordon Bergling 2020-01-08 18:05:01 UTC
On a recent -CURRENT (r356261) the problem doesn't exist. But the strange thing is that I didn't see any relevant changes within the last 18 months that could have caused this. At least not under contrib/openbsm/.
Comment 4 Dan Langille freebsd_committer 2020-01-15 16:13:06 UTC
Perhaps this PR is the cause of

Dec 18 21:19:29 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=10469, exitcode=75).


re:

https://forums.freebsd.org/threads/auditdistd-sandbox-process-exited-ungracefully.73419/