misc/157946: 'BSM conversion requested for unknown event' generated by audit

Ike McCreery ihmccreery at gmail.com
Fri Jun 17 13:10:12 UTC 2011 

>Number:         157946
>Category:       misc
>Synopsis:       'BSM conversion requested for unknown event' generated by audit
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 17 13:10:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Ike McCreery
>Release:        8.2
>Organization:
Oberlin College Computer Science
>Environment:
FreeBSD hostname.host.extension 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

>Description:
Running FreeBSD with auditing turned on, and flags and naflags both set to 'all' (in /etc/security/audit_control).  I'm getting two very similar messages:

   BSM conversion requested for unknown event 43143

and

   BSM conversion requested for unknown event 43196

The first occurs whenever I ssh into the server (which succeeds), and the second crops up when doing ls -l.  I and some coworkers have looked through the source, and it seems that both are occuring because syscalls are falling through in /sys/security/audit/audit_bsm.c (from the source).  Neither number nor its label as defined in /etc/security/audit_event (43143=AUE_CLOSEFROM and 43196=AUE_LPATHCONF) show up in a search of audit_bsm.c.
>How-To-Repeat:
Configure auditing as follows in /etc/security/audit_control:

dir:/var/audit
flags:all
minfree:5
naflags:all
policy:all
filesz:2M
expire-after:10M

Turn on auditing by running '/etc/rc.d/auditd start'.

Running 'ls -l' should give an error (43196), as should ssh-ing into the machine (43143).
>Fix:
It seems that the source in /sys/security/audit/audit_bsm.c prints this message if an audit request falls through (to line 1585) in the big switch statement in the file.  Perhaps it is missing these two cases.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list