misc/157946: 'BSM conversion requested for unknown event' generated
by audit
Ike McCreery
ihmccreery at gmail.com
Fri Jun 17 13:10:12 UTC 2011
>Number: 157946
>Category: misc
>Synopsis: 'BSM conversion requested for unknown event' generated by audit
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jun 17 13:10:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Ike McCreery
>Release: 8.2
>Organization:
Oberlin College Computer Science
>Environment:
FreeBSD hostname.host.extension 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
Running FreeBSD with auditing turned on, and flags and naflags both set to 'all' (in /etc/security/audit_control). I'm getting two very similar messages:
BSM conversion requested for unknown event 43143
and
BSM conversion requested for unknown event 43196
The first occurs whenever I ssh into the server (which succeeds), and the second crops up when doing ls -l. I and some coworkers have looked through the source, and it seems that both are occuring because syscalls are falling through in /sys/security/audit/audit_bsm.c (from the source). Neither number nor its label as defined in /etc/security/audit_event (43143=AUE_CLOSEFROM and 43196=AUE_LPATHCONF) show up in a search of audit_bsm.c.
>How-To-Repeat:
Configure auditing as follows in /etc/security/audit_control:
dir:/var/audit
flags:all
minfree:5
naflags:all
policy:all
filesz:2M
expire-after:10M
Turn on auditing by running '/etc/rc.d/auditd start'.
Running 'ls -l' should give an error (43196), as should ssh-ing into the machine (43143).
>Fix:
It seems that the source in /sys/security/audit/audit_bsm.c prints this message if an audit request falls through (to line 1585) in the big switch statement in the file. Perhaps it is missing these two cases.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list