kern/152796: fcntl(2) audit records should not be labeled "file
wollman at khavrinen.csail.mit.edu
Fri Dec 3 00:10:11 UTC 2010
>Synopsis: fcntl(2) audit records should not be labeled "file attribute modify"
>Arrival-Date: Fri Dec 03 00:10:11 UTC 2010
>Originator: Garrett Wollman
>Release: FreeBSD 8.1-RELEASE-p2 amd64
MIT Computer Science & Artificial Intelligence Lab
8.1 system with auditing turned on
/etc/security/audit_class describes class 0x8 as "file
attribute modify". This seems like a reasonable thing to audit, but
unfortunately, all calls to fcntl(2) -- which does not modify any file
attributes -- are included in this category. Any program which uses
POSIX-style locking will flood the audit file with spurious audit
records, while the interesting system calls (those that call
VOP_SETATTR) will be buried. (And for whatever reason, auditreduce(1)
deosn't appear to perform as advertised when given the "-v" flag.)
Enable auditing with class "fm". praudit /var/audit/current.
Hit ^C when all you see is "fcntl(2)".
Move fcntl to a different audit class (probably "other" or
More information about the freebsd-bugs