After upgrading a server running auditd to FreeBSD12 (from FreeBSD 11.2) we noticed that trail files now have a dot (.) appended to the filename, which our auditdistd receiver thinks is an invalid trail name. Logs from our receiver: (receiver) Sender wants to open file "20190920080142.20190920080929.", which has invalid name. (receiver) Request failed: (seq=3) OPEN(20190920080142.20190920080929.): invalid trail file name. (receiver) Sender requested append without first opening file. (receiver) Request failed: (seq=4) APPEND(2646): wrong operations order. (receiver) Sender requested closing file without first opening it. (receiver) Request failed: (seq=5) CLOSE(20190920080142.20190920080929.): wrong operations order. (receiver) Unable to receive request header: Socket is not connected. Logs from our sender: (sender) Termination signal received, exiting. (sender) Receiver returned error (invalid trail file name), disconnecting. (sender) Disconnected from 172.22.239.16. I've tested upgrading the receiver to FreeBSD 12 as well but that doesn't seem to fix the issue. I also found this thread reporting the same issue: https://forums.freebsd.org/threads/auditd-on-freebsd-12-0-release-problem.69686/
I can reproduce this on a recent 12.1-STABLE. root audit 56 Nov 18 18:23 20191118172312.20191118172312. root audit 56 Jan 7 14:44 20200107134414.not_terminated. My initial direction was the C macro getTSstr, which is defined in contrib/openbsm/bsm/auditd_lib.h:46. But after I saw that the dot is also appended after "not_terminated" that problem must be located somewhere else.
On a recent -CURRENT (r356261) the problem doesn't exist. But the strange thing is that I didn't see any relevant changes within the last 18 months that could have caused this. At least not under contrib/openbsm/.
Perhaps this PR is the cause of Dec 18 21:19:29 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=10469, exitcode=75). re: https://forums.freebsd.org/threads/auditdistd-sandbox-process-exited-ungracefully.73419/
This is fixed by r356962. I am not exactly sure why, because that change should only affects some parts within the hostname-part of audit-trail-files, but Jan 22 09:17 20200116071331.20200122081723. Jan 22 09:18 20200122081759.not_terminated Jan 22 09:17 current -> /var/audit/20200122081759.not_terminated
(In reply to Gordon Bergling from comment #5) Thank you. I will deploy a 12.2-STABLE host and test this in our environment... Oh wait, does this affect the auditd client or the auditd server? I think it's the server, correct?
I updated a host to FreeBSD 12 -stable on 2020-04-08: $ uname -a FreeBSD fmd-12stbl-01tst.vrt.sourcefire.com 12.1-STABLE FreeBSD 12.1-STABLE r359329 GENERIC amd64 We're still see this on that host: Apr 9 17:10:11 example auditdistd[80387]: Sandbox process exited ungracefully (pid=20356, exitcode=75). Apr 9 18:00:10 example auditdistd[80387]: Sandbox process exited ungracefully (pid=93827, exitcode=75). Apr 11 04:15:28 example auditdistd[79863]: Sandbox process killed (pid=88054, signal=13).
(In reply to Gordon Bergling from comment #5) To confirm that I understand correctly, you believe the original issue is fixed in -CURRENT and in stable/12, so that 12.2 will be fixed? And dvl's issue is perhaps something else?
The reason I am testing stable is to ensure this issue does not persist for us on 12.2
(In reply to Dan Langille from comment #9) Indeed - I'm trying to figure out if the original issue here is fixed for 12.2 and there's something else that needs investigation.
What's up?
In comment #5 gbe reports that the issue is fixed by r356962, a MFC of r342873. This change is in 12.2. So the problem in comment #7 is presumably something else, and needs its own PR with full details.
(In reply to Ed Maste from comment #12) I have created https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250342