audit MFC to RELENG_6, auditd doesn't start

Hi,

after I saw rwatson's MFC of the experimental audit support to
RELENG_6, i checked out the tree yesterday. Build and install went
fine without errors, but sth either went wrong or was made going
wrong by me.

Now auditd exits with exit(1) right after I start it, and

Sep  5 17:27:02 loki auditd[65275]: auditctl failed setting log file! : Invalid argument
Sep  5 17:27:02 loki auditd[65275]: auditctl failed setting log file! : Invalid argument
Sep  5 17:27:02 loki auditd[65275]: Log directories exhausted
Sep  5 17:27:02 loki auditd[65275]: Could not swap audit file
Sep  5 17:27:02 loki auditd[65275]: Error reading control file
Sep  5 17:27:02 loki elessar: audit warning: nostart
Sep  5 17:27:02 loki elessar: audit warning: getacdir /var/audit
Sep  5 17:27:02 loki elessar: audit warning: getacdir /usr/audit

is everything I can get out of it, -d or not.
dmesg suggests that the kernel side of the audit support works
fine.

FreeBSD 6.1-STABLE #0: Tue Sep  5 11:53:24 CEST 2006
    root@...:/usr/obj/usr/src/sys/LOKI
ACPI APIC Table: <VIA694 AWRDACPI>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Pentium(R) III CPU family      1400MHz (1399.54-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x6b1  Stepping = 1
  Features=0x383fbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXS
R,SSE>
real memory  = 1610547200 (1535 MB)
avail memory = 1568890880 (1496 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
 cpu0 (BSP): APIC ID:  0
 cpu1 (AP): APIC ID:  1
Security policy loaded: TrustedBSD MAC/BSD Extended (mac_bsdextended)
Security policy loaded: TrustedBSD MAC/seeotheruids (mac_seeotheruids)
Security policy loaded: TrustedBSD MAC/ifoff (mac_ifoff)
Security policy loaded: TrustedBSD MAC/Partition (mac_partition)
Security policy loaded: TrustedBSD MAC/portacl (trustedbsd_mac_portacl)
Security auditing service present
BSM auditing present

Disabling all the TrustedBSD modules via sysctl made no difference,
the configuration files for audit are the default ones with one added
dir: entry in audit_control, /var/audit and /usr/audit exist and are
50-60% free.

root@loki: /var/audit# ls -l
total 0
-r--r-----  1 root  audit  0 Sep  5 15:32 20060905133200.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:33 20060905133333.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:36 20060905133630.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:39 20060905133922.not_terminated
-r--r-----  1 root  audit  0 Sep  5 15:40 20060905134055.not_terminated

The sources have peen patched with the unionfs-p16 and propolice patches,
but from my understanding of the error messages, that should not be the
problem.

audit_warn.c has this comment for getacdir warnings:
/*
 * Indicates that there is a problem getting the directory from
 * audit_control.
 *
 * XXX Note that we take the filename instead of a count as the argument here
 * (different from BSM).
 */

The entries in /etc/security/audit_control are
dir:/var/audit
dir:/usr/audit
The second I added to check if by chance sth with the diskfree calculations
went wrong. I am troubled.

Thanks for any pointers about what I am doing wrong.

Regards,
        Jörg
--
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |


!DSPAM:44fd9aa1622985369021049!
_______________________________________________
freebsd-audit@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-audit
To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."

A bit more information:

from /var/log/security:

Sep  5 20:57:28 loki auditd[1620]: starting...
Sep  5 20:57:28 loki auditd[1620]: dir = /var/audit
Sep  5 20:57:28 loki auditd[1620]: New audit file is /var/audit/20060905185728.not_terminated
Sep  5 20:57:28 loki auditd[1620]: auditctl failed setting log file! : Invalid argument
Sep  5 20:57:28 loki auditd[1620]: dir = /usr/audit
Sep  5 20:57:28 loki auditd[1620]: New audit file is /usr/audit/20060905185728.not_terminated
Sep  5 20:57:28 loki auditd[1620]: auditctl failed setting log file! : Invalid argument
Sep  5 20:57:28 loki auditd[1620]: Log directories exhausted
Sep  5 20:57:28 loki auditd[1620]: Could not swap audit file
Sep  5 20:57:28 loki auditd[1620]: Error reading control file
Sep  5 20:57:28 loki elessar: audit warning: getacdir /var/audit
Sep  5 20:57:28 loki elessar: audit warning: getacdir /usr/audit
Sep  5 20:57:28 loki elessar: audit warning: nostart

The output from a ktrace of `auditd -d`:
http://www.elessar.org/auditd.ktrace-fork.txt

Full dmesg (not verbose though):
http://www.elessar.org/dmesg.txt

Kernel configuration:
http://www.elessar.org/kernel_conf.txt

And last but not least my /etc/security/audit_control as it
is the only modified file:

dir:/var/audit
dir:/usr/audit
flags:lo
minfree:5
naflags:lo

Regards,
        Jörg

--
| /"\   ASCII ribbon   |  GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against |    0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
|  X    HTML in email  |        .the next sentence is true.       |
| / \     and news     |     .the previous sentence was a lie.    |


!DSPAM:44fdcbc3693961015038593!
_______________________________________________
freebsd-audit@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-audit
To unsubscribe, send any mail to "freebsd-audit-unsubscribe@..."