Status of MFC security event audit support in RELENG_6?

Robert Watson rwatson at
Thu Sep 21 00:55:02 PDT 2006

On Wed, 20 Sep 2006, Andrew Storms wrote:

> A few weeks back Robert Watson announced the merge of these features from 7 
> back into 6-STABLE.  I hadn't seen any updates and was curious as to the 
> status.  Us 6-STABLE users are curious to test it out.

The MFC is largely complete, and we're now basically chasing and address bugs 
being reported by -CURRENT and -STABLE users of audit.  BETA1 ships with 
audit support, but there are a few known issues with it:

- The sparc64 BETA1 ISO doesn't include the auditctl(2) bugfix, so auditd
   cannot be started.  amd64 and i386 both do include this fix so auditd should
   start properly.

- User applications are unable to submit audit records due to a bug in uer
   record audit preselection.  The fix has been tested and merged to RELENG_6,
   but didn't make the BETA1 cutoff.  BETA2 will include the fix, and it's
   available if you update to the latest RELENG_6 also.

- There are both kernel and praudit bugs relating to extremely large audit
   records generated by turning on argv or envv auditing with execve(1).
   These bugs have been fixed in -CURRENT but the fixes are not yet merged to
   RELENG_6.  They will be merged in the next few days once they've settled a
   bit in HEAD.  However, as the version of OpenBSM in RELENG_6 doesn't
   currently allow turning on the argv and envv auditing flag, this doesn't
   present an immediate problem for audit users in RELENG_6.  Support for
   turning on argv/arge auditing via audit_control(5) will appear in the
   OpenBSM 1.0 alpha 11 MFC to RELENG_6 in a few days (prior to BETA2).

- There are some known usability issues when the audit store partition becomes
   very full.  In particular, you get a lot of kernel printfs, which can slow
   the system down a lot and could make the console unusable.  Fixes for this
   are on my notebook, and will be merged to P4 and CVS HEAD shortly, with an
   MFC planned before BETA2.  Basically, these changes rate limit warning
   messages and are a bit more careful to avoid hitting out of space errors.
   Bug fixes to improve auditd's handling of low space conditions and triggers
   are in HEAD and will be MFC'd with OpenBSM 1.0 alpha 11.

- 32-bit compatibility system calls on amd64 are not currently audited, as
   with emulated Linux system calls in RELENG_6.  I'm working on the MFC patch
   for this currently, so hope to get the compat32 auditing merged in the next
   day or so (once approved by re@).

Testing and feedback would be extremely welcome.  While the above list of 
RELENG_6 problems is non-trivial, the code currently in RELENG_6 is quite 
functional, and I've deployed it on several servers, as have a number of other 
developers and end-users.

Another thing that needs to happen before the release is that the Handbook 
chapter needs to be reviewed and updated.  In particular, we've added the 
policy: line to audit_control(5) since it was written, and since this is quite 
useful/important, an update is required for that.

Robert N M Watson
Computer Laboratory
University of Cambridge

More information about the trustedbsd-audit mailing list