# auditd "Error opening trigger file" error



## Vye (May 4, 2010)

After one of my 6.x upgrades (I don't recall which) auditd stopped working. It generates this error "Error opening trigger file" before exiting.


```
May  4 11:29:02 fbsd6 auditd[18746]: Error opening trigger file
May  4 11:29:02 fbsd6 root: audit warning: nostart
```

The ownership/permissions on /var/audit and the files within are root:audit 660. Googling around just turned up the different auditd source file commits. The following code generates the error but I'm not sure what file name AUDIT_TRIGGER_FILE is equal to. 


```
if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) {
		syslog(LOG_ERR, "Error opening trigger file");
 		fail_exit();
 	}
```

Does anyone have any ideas?


----------



## DutchDaemon (May 5, 2010)

I did some random grepping in the manuals, and I think auditon(2) (A_SENDTRIGGER, audit_control) and audit_control(5) (/etc/security/audit_control) may provide some background to this mechanism.


----------



## Vye (May 8, 2010)

How can I figure out what file is failing access() F_OK and readlink() in my strace below?. Those are the only two ENOENT errors I can see. It looks like it was able to open the five configuration files in /etc/security (or so I assume by the open( ,O_RDONLY) lines). Other than that I don't see anything in strace that looks like an error.


```
execve(0xbfbfe790, [0xbfbfec88], [/* 0 vars */]) = 0
mmap(0, 3952, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x88075000
munmap(0x88075000, 3952)                = 0
__sysctl([...], 0x88071618, 0xbfbfea34, NULL, 0) = 0
mmap(0, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x88075000
issetugid(0)                            = 0
open(0x8806c448, O_RDONLY)              = 3
fstat(3, {...})                         = 0
read(3, 0x88079000, 4096)               = 61
read(3, ""..., 4096)                    = 0
close(3)                                = 0
open(0x8806b6a0, O_RDONLY)              = 3
read(3, 0xbfbfea00, 128)                = 128
lseek(3, 128, SEEK_SET)                 = 128
read(3, 0x8807b000, 92)                 = 92
close(3)                                = 0
access(0x8807c000, F_OK)                = -1 ENOENT (No such file or directory)
access(0x8807c000, F_OK)                = 0
open(0x880760c0, O_RDONLY)              = 3
fstat(3, {...})                         = 0
read(3, 0x88070560, 4096)               = 4096
mmap(0, 81920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x8807d000
mprotect(0x8808f000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x8808f000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x88090000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x13000) = 0x88090000
close(3)                                = 0
access(0x8807c000, F_OK)                = 0
open(0x880760e0, O_RDONLY)              = 3
fstat(3, {...})                         = 0
read(3, 0x88070560, 4096)               = 4096
mmap(0, 946176, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_NOCORE, 3, 0) = 0x88091000
mprotect(0x8815b000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0
mprotect(0x8815b000, 4096, PROT_READ|PROT_EXEC) = 0
mmap(0x8815c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xcb000) = 0x8815c000
mmap(0x88162000, 90112, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANON, -1, 0) = 0x88162000
close(3)                                = 0
sysarch(0xa, 0xbfbfeab0)                = 0
mmap(0, 624, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x88178000
munmap(0x88178000, 624)                 = 0
mmap(0, 1536, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x88178000
munmap(0x88178000, 1536)                = 0
mmap(0, 22864, PROT_READ|PROT_WRITE, MAP_ANON, -1, 0) = 0x88178000
munmap(0x88178000, 22864)               = 0
mmap(0, 36864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x88178000
sigprocmask(SIG_BLOCK, 0x880704a0, 0xbfbfea80) = 0
sigprocmask(SIG_SETMASK, 0x880704b0, NULL) = 0
gettimeofday({...}, NULL)               = 0
readlink(0x88154c97, 0xbfbfd6d0, 63)    = -1 ENOENT (No such file or directory)
issetugid(0x88077000)                   = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0) = 0x88181000
break(0x804e000)                        = 0
break(0x804f000)                        = 0
access(0x8815ab6c, R_OK)                = 0
open(0x8815ab6c, O_RDONLY)              = 3
fstat(3, {...})                         = 0
read(3, 0xbfbfba50, 7944)               = 1017
close(3)                                = 0
getpid()                                = 84146 (ppid 84143)
socket(PF_UNIX, SOCK_DGRAM, 0)          = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
connect(3, {...}, 106)                  = 0
sendto(3, 0xbfbfe350, 47, 0, NULL, 0)   = 47
syscall_416(0x1, 0xbfbfeb30, 0xbfbfeb50) = 0
fork()                                  = 84147
exit(0)                                 = ?
```

/etc = 7


----------



## DutchDaemon (May 8, 2010)

Try with truss(1), maybe?


----------

