Audit & capscicum on FreeBSD 12.2Stable
Dewayne Geraghty
dewayne at heuristicsystems.com.au
Mon Nov 23 00:27:51 UTC 2020
I've recently included capscium & casper in our build, but we're finding
"Function not implemented" associated with the capscium audit events.
header,68,11,cap_rights_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
return,failure : Function not implemented,4294967295
trailer,68
header,68,11,cap_ioctls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
return,failure : Function not implemented,4294967295
trailer,68
header,68,11,cap_fcntls_limit(2),0,Mon Nov 23 10:27:51 2020, + 426 msec
subject,-1,root,wheel,root,wheel,41624,0,0,0.0.0.0
return,failure : Function not implemented,4294967295
trailer,68
Do these mean that: the audit subsystem doesn't know how to deal with
capscium; that capsicum doesn't interact with audit very well, or is
there something else going on?
These events are in /etc/security/audit_event
audit_event:43186:AUE_CAP_NEW:cap_new(2):fm
audit_event:43187:AUE_CAP_RIGHTS_GET:cap_rights_get(2):fm
audit_event:43188:AUE_CAP_ENTER:cap_enter(2):pc
audit_event:43189:AUE_CAP_GETMODE:cap_getmode(2):pc
audit_event:43202:AUE_CAP_RIGHTS_LIMIT:cap_rights_limit(2):fm
audit_event:43203:AUE_CAP_IOCTLS_LIMIT:cap_ioctls_limit(2):fm
audit_event:43204:AUE_CAP_IOCTLS_GET:cap_ioctls_get(2):fm
audit_event:43205:AUE_CAP_FCNTLS_LIMIT:cap_fcntls_limit(2):fm
audit_event:43206:AUE_CAP_FCNTLS_GET:cap_fcntls_get(2):fm
System is (from uname -aKU extract) FreeBSD 12.2-STABLE FreeBSD
12.2-STABLE #0 r367477M: Mon Nov 9 07:33:12 AEDT 2020 amd64 1202503 1202503
Regards, Dewayne
More information about the freebsd-questions
mailing list