Environment
Novell Open Enterprise server (OES2 SP2) environment with novell-vigil enabled for NSS file system auditing, possibly sending the output to Novell Sentinel log manager.
HP-E-7658:/ # modinfo vigil
filename: /lib/modules/2.6.16.60-0.66.1-smp/weak-updates/vigil/vigil.ko
license: GPL
description: vigil - Kernel audit interface
author: Adam Jerome <abj@novell.com>
srcversion: 476D93E40B71B058D2D4F87
depends:
supported: yes
vermagic: 2.6.16.60-0.54.5-smp SMP 586 REGPARM gcc-4.1
parm: archive:Activate vigil archive client (charp)
HP-E-7658:/ # rpm -qa | grep vigil
novell-vigil-kmp-smp-1.0pre4_2.6.16.60_0.54.5-0.8.2
novell-vigil-vlog-0.1-0.6.7
novell-vigil-libs-1.0pre4-0.11.3
novell-vigil-kmp-bigsmp-1.0pre4_2.6.16.60_0.54.5-0.8.2
novell-vigil-1.0pre4-0.8.2
HP-E-7658:/ # modinfo vigil
filename: /lib/modules/2.6.16.60-0.66.1-smp/weak-updates/vigil/vigil.ko
license: GPL
description: vigil - Kernel audit interface
author: Adam Jerome <abj@novell.com>
srcversion: 476D93E40B71B058D2D4F87
depends:
supported: yes
vermagic: 2.6.16.60-0.54.5-smp SMP 586 REGPARM gcc-4.1
parm: archive:Activate vigil archive client (charp)
HP-E-7658:/ # rpm -qa | grep vigil
novell-vigil-kmp-smp-1.0pre4_2.6.16.60_0.54.5-0.8.2
novell-vigil-vlog-0.1-0.6.7
novell-vigil-libs-1.0pre4-0.11.3
novell-vigil-kmp-bigsmp-1.0pre4_2.6.16.60_0.54.5-0.8.2
novell-vigil-1.0pre4-0.8.2
Situation
In order to enable NSS auditing on OES2SP2 servers, the '/etc/init.d/novell-vigil' kernel audit interface needs to be started, and '/opt/novell/vigil/bin/vlog' needs to be executed.
Upon starting 'vlog', any auditing results from file system events will be logged to the corresponding '/var/log/audit/vlog' directories, and errors will be logged to '/var/log/messages'.
Using your preferred tool for making trustee modifications, assign a trustee rights to the root of a volume.
This will produce results similar as to what is listed below :
HP-E-7658 kernel: VIGIL_NSS_ZIDHASH_PayloadAlloc[224] ERR:zZIDOpen() reports: zERR_INVALID_BEAST_ID[20300]
volumeID[059aeccc-10ab-01df-80-00-91afaf31eb0d] i_key[0]
HP-E-7658 kernel:VIGIL_NSS_ZIDHASH_Zid2UnicodeFilePathString[555] ERR:VIGIL_NSS_ZIDHASH_Resolve_ZidToName() reports: -2
HP-E-7658 kernel: VIGIL_NSS_ESR_ElementWrite_Path[326] ERR:VIGIL_NSS_ZIDHASH_Zid2UnicodeFilePathString() reports -2
HP-E-7658 kernel: VIGIL_NSS_ESR_AddTrustee[2952] ERR:VIGIL_NSS_ESR_ElementWrite_Path() reports: -2
HP-E-7658 kernel: 4294967294 Error sending (7) event to audit.
When performing the same trustee modification actions, but when using increased 'vlog' debug logging as follows"/opt/novell/vigil/bin/vlog -V 69", one would also see additional output logged to '/var/log/messages', approximately 20x per second, example below :
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
<....>
Upon starting 'vlog', any auditing results from file system events will be logged to the corresponding '/var/log/audit/vlog' directories, and errors will be logged to '/var/log/messages'.
Using your preferred tool for making trustee modifications, assign a trustee rights to the root of a volume.
This will produce results similar as to what is listed below :
HP-E-7658 kernel: VIGIL_NSS_ZIDHASH_PayloadAlloc[224] ERR:zZIDOpen() reports: zERR_INVALID_BEAST_ID[20300]
volumeID[059aeccc-10ab-01df-80-00-91afaf31eb0d] i_key[0]
HP-E-7658 kernel:VIGIL_NSS_ZIDHASH_Zid2UnicodeFilePathString[555] ERR:VIGIL_NSS_ZIDHASH_Resolve_ZidToName() reports: -2
HP-E-7658 kernel: VIGIL_NSS_ESR_ElementWrite_Path[326] ERR:VIGIL_NSS_ZIDHASH_Zid2UnicodeFilePathString() reports -2
HP-E-7658 kernel: VIGIL_NSS_ESR_AddTrustee[2952] ERR:VIGIL_NSS_ESR_ElementWrite_Path() reports: -2
HP-E-7658 kernel: 4294967294 Error sending (7) event to audit.
When performing the same trustee modification actions, but when using increased 'vlog' debug logging as follows"/opt/novell/vigil/bin/vlog -V 69", one would also see additional output logged to '/var/log/messages', approximately 20x per second, example below :
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
HP-E-7658 kernel: VIGIL_NCP_SYSFS_StoreControlFile() reports:Unknown Command: []
<....>
Resolution
The problem was identified, and fix has been made in an updated vigil_nss.ko kernel module which is currently tested and scheduled to be released in a future patch release.
Additional Information
Although Sentinel is not required in the setup, when you do have Sentinel available, the Sentinel logs will show this as being "High Severity" messages.