auditd on FreeBSD 12.0-release problem

Charlie Root


Messages: 26

I have just upgraded my server from FreeBSD 11.1-RELEASE-p8 to FreeBSD 12.0-RELEASE-p3 and got problem with auditd(8): the filename on dist folder is ending with dot(.) at
For example
# auditd -d
auditd 41844 - - starting...
auditd 41844 - - Auditing disabled
auditd 41844 - - Configured trail files distribution.
auditd 41844 - - Auditing enabled
auditd 41844 - - New audit file is /var/audit/20190220082027.not_terminated.
auditd 41844 - - Registered 662 event to class mappings.
auditd 41844 - - Registered non-attributable event mask.
auditd 41844 - - Set audit policy in kernel.
auditd 41844 - - Set audit trail size in kernel.
auditd 41844 - - Set audit trail queue in kernel.
auditd 41844 - - Set audit trail min free percent in kernel.
auditd 41844 - - audit_control(5) may be missing 'host:' field
auditd 41844 - - Audit controls init successful
You can see the new audit file is /var/audit/20190220082027.not_terminated. with the "." at the end.

It caused error when using auditdistd(8) to send audit log to auditdistd(8) receiver:
(54084) [DEBUG][1] [backup] (sender) File "/var/audit/dist/20190220041750.not_terminated" doesn't exist.
(54084) [DEBUG][1] [backup] (sender) Trail file "/var/audit/dist/20190220082027.not_terminated." opened.
(54084) [ERROR] [backup] (sender) Receiver returned error (invalid trail file name), disconnecting.
I think there is a bug. Any workaround for this issue?


Aspiring Daemon

Reaction score: 224
Messages: 594

The comment #5 in PR 240762 states is's fixed by revision r356962 (merged from current on stable/12).

If running 12-STABLE is not an option, I suppose merging the fix with releng/12.1 is the way to go. Reading /usr/src/contrib/openbsm/FREEBSD-upgrade indicates, if I'm not mistaken, buildworld installworld is necessary to install the fix.