bin/149806: [patch] OpenBSM auditd(8) fails to expire trails if host defined

Janne Snabb snabb at
Thu Aug 19 15:40:04 UTC 2010

>Number:         149806
>Category:       bin
>Synopsis:       [patch] OpenBSM auditd(8) fails to expire trails if host defined
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 19 15:40:03 UTC 2010
>Originator:     Janne Snabb <snabb at>
>Release:        FreeBSD 8.1-RELEASE i386
EPIPE Communications
At least 8.0-RELEASE, 8.1-RELEASE and -CURRENT on any architecture.

OpenBSM auditd(8) fails to expire audit trail files if the "host"
parameter is defined in /etc/security/audit_control.

This is caused by improper filtering of file names in the
auditd_expire_trails() function of libauditd(3). The filtering works
correctly if "host" parameter has not been defined.

Add the following:

host: /etc/security/audit_control as well as some expiration limit
("expire-after" parameter).

(Re-)start auditd.

Produce enough audit records to reach the expiration limit.  

You will notice that nothing gets expired. /var/audit will grow


--- auditd_lib.c.diff begins here ---
--- contrib/openbsm/libauditd/auditd_lib.c.dist	2009-07-17 14:02:20.000000000 +0000
+++ contrib/openbsm/libauditd/auditd_lib.c	2010-08-19 14:58:52.000000000 +0000
@@ -427,11 +427,12 @@
 			struct audit_trail *new;
 			 * Quickly filter non-trail files.
-			if (dp->d_namlen != (FILENAME_LEN - 1) ||
+			if (dp->d_namlen != (FILENAME_LEN - 1 +
+			    (auditd_hostlen == -1 ? 0 : auditd_hostlen + 1)) ||
 #ifdef DT_REG
 			    dp->d_type != DT_REG || 
 			    dp->d_name[POSTFIX_LEN] != '.')
--- auditd_lib.c.diff ends here ---


More information about the freebsd-bugs mailing list