misc/157946: 'BSM conversion requested for unknown event' generated
ihmccreery at gmail.com
Fri Jun 17 13:10:12 UTC 2011
>Synopsis: 'BSM conversion requested for unknown event' generated by audit
>Arrival-Date: Fri Jun 17 13:10:09 UTC 2011
>Originator: Ike McCreery
Oberlin College Computer Science
FreeBSD hostname.host.extension 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
Running FreeBSD with auditing turned on, and flags and naflags both set to 'all' (in /etc/security/audit_control). I'm getting two very similar messages:
BSM conversion requested for unknown event 43143
BSM conversion requested for unknown event 43196
The first occurs whenever I ssh into the server (which succeeds), and the second crops up when doing ls -l. I and some coworkers have looked through the source, and it seems that both are occuring because syscalls are falling through in /sys/security/audit/audit_bsm.c (from the source). Neither number nor its label as defined in /etc/security/audit_event (43143=AUE_CLOSEFROM and 43196=AUE_LPATHCONF) show up in a search of audit_bsm.c.
Configure auditing as follows in /etc/security/audit_control:
Turn on auditing by running '/etc/rc.d/auditd start'.
Running 'ls -l' should give an error (43196), as should ssh-ing into the machine (43143).
It seems that the source in /sys/security/audit/audit_bsm.c prints this message if an audit request falls through (to line 1585) in the big switch statement in the file. Perhaps it is missing these two cases.
More information about the freebsd-bugs