From owner-svn-src-head@FreeBSD.ORG Sat Dec 1 15:11:47 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5D13D7F1; Sat, 1 Dec 2012 15:11:47 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 41DDF8FC12; Sat, 1 Dec 2012 15:11:47 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qB1FBlM8036826; Sat, 1 Dec 2012 15:11:47 GMT (envelope-from rwatson@svn.freebsd.org) Received: (from rwatson@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qB1FBkBA036816; Sat, 1 Dec 2012 15:11:46 GMT (envelope-from rwatson@svn.freebsd.org) Message-Id: <201212011511.qB1FBkBA036816@svn.freebsd.org> From: Robert Watson Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Dec 2012 15:11:47 -0000 Author: rwatson Date: Sat Dec 1 15:11:46 2012 New Revision: 243752 URL: http://svnweb.freebsd.org/changeset/base/243752 Log: Merge a number of changes required to hook up OpenBSM 1.2-alpha2's auditdistd (distributed audit daemon) to the build: - Manual cross references - Makefile for auditdistd - rc.d script, rc.conf entrie - New group and user for auditdistd; associated aliases, etc. The audit trail distribution daemon provides reliable, cryptographically protected (and sandboxed) delivery of audit tails from live clients to audit server hosts in order to both allow centralised analysis, and improve resilience in the event of client compromises: clients are not permitted to change trail contents after submission. Submitted by: pjd Sponsored by: The FreeBSD Foundation (auditdistd) Added: head/etc/rc.d/auditdistd (contents, props changed) head/usr.sbin/auditdistd/ head/usr.sbin/auditdistd/Makefile (contents, props changed) Modified: head/etc/defaults/rc.conf head/etc/ftpusers head/etc/mail/aliases head/etc/master.passwd head/etc/mtree/BSD.var.dist head/etc/rc.d/Makefile head/share/man/man4/audit.4 head/usr.sbin/Makefile Modified: head/etc/defaults/rc.conf ============================================================================== --- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012 (r243751) +++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012 (r243752) @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newa auditd_enable="NO" # Run the audit daemon. auditd_program="/usr/sbin/auditd" # Path to the audit daemon. auditd_flags="" # Which options to pass to the audit daemon. +auditdistd_enable="NO" # Run the audit daemon. +auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd daemon. +auditdistd_flags="" # Which options to pass to the auditdistd daemon. cron_enable="YES" # Run the periodic job daemon. cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled). cron_dst="YES" # Handle DST transitions intelligently (YES/NO) Modified: head/etc/ftpusers ============================================================================== --- head/etc/ftpusers Sat Dec 1 13:46:37 2012 (r243751) +++ head/etc/ftpusers Sat Dec 1 15:11:46 2012 (r243752) @@ -19,6 +19,7 @@ _pflogd _dhcp uucp pop +auditdistd www hast nobody Modified: head/etc/mail/aliases ============================================================================== --- head/etc/mail/aliases Sat Dec 1 13:46:37 2012 (r243751) +++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012 (r243752) @@ -26,6 +26,7 @@ postmaster: root # General redirections for pseudo accounts _dhcp: root _pflogd: root +auditdistd: root bin: root bind: root daemon: root Modified: head/etc/master.passwd ============================================================================== --- head/etc/master.passwd Sat Dec 1 13:46:37 2012 (r243751) +++ head/etc/master.passwd Sat Dec 1 15:11:46 2012 (r243752) @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin +auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin Modified: head/etc/mtree/BSD.var.dist ============================================================================== --- head/etc/mtree/BSD.var.dist Sat Dec 1 13:46:37 2012 (r243751) +++ head/etc/mtree/BSD.var.dist Sat Dec 1 15:11:46 2012 (r243752) @@ -19,6 +19,10 @@ /set gname=audit audit .. + dist uname=auditdistd gname=audit mode=0770 + .. + remote uname=auditdistd gname=wheel mode=0700 + .. /set gname=wheel backups .. Modified: head/etc/rc.d/Makefile ============================================================================== --- head/etc/rc.d/Makefile Sat Dec 1 13:46:37 2012 (r243751) +++ head/etc/rc.d/Makefile Sat Dec 1 15:11:46 2012 (r243752) @@ -19,6 +19,7 @@ FILES= DAEMON \ atm2 \ atm3 \ auditd \ + auditdistd \ bgfsck \ bluetooth \ bootparams \ Added: head/etc/rc.d/auditdistd ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/etc/rc.d/auditdistd Sat Dec 1 15:11:46 2012 (r243752) @@ -0,0 +1,21 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: auditdistd +# REQUIRE: auditd +# BEFORE: DAEMON +# KEYWORD: nojail shutdown + +. /etc/rc.subr + +name="auditdistd" +rcvar="${name}_enable" +pidfile="/var/run/${name}.pid" +command="/usr/sbin/${name}" +required_files="/etc/${name}.conf" +extra_commands="reload" + +load_rc_config $name +run_rc_command "$1" Modified: head/share/man/man4/audit.4 ============================================================================== --- head/share/man/man4/audit.4 Sat Dec 1 13:46:37 2012 (r243751) +++ head/share/man/man4/audit.4 Sat Dec 1 15:11:46 2012 (r243752) @@ -96,7 +96,8 @@ to track users and events in a fine-grai .Xr audit_warn 5 , .Xr rc.conf 5 , .Xr audit 8 , -.Xr auditd 8 +.Xr auditd 8 , +.Xr auditdistd 8 .Sh HISTORY The .Tn OpenBSM Modified: head/usr.sbin/Makefile ============================================================================== --- head/usr.sbin/Makefile Sat Dec 1 13:46:37 2012 (r243751) +++ head/usr.sbin/Makefile Sat Dec 1 15:11:46 2012 (r243752) @@ -110,6 +110,9 @@ SUBDIR+= amd .if ${MK_AUDIT} != "no" SUBDIR+= audit SUBDIR+= auditd +.if ${MK_OPENSSL} != "no" +SUBDIR+= auditdistd +.endif SUBDIR+= auditreduce SUBDIR+= praudit .endif Added: head/usr.sbin/auditdistd/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/usr.sbin/auditdistd/Makefile Sat Dec 1 15:11:46 2012 (r243752) @@ -0,0 +1,32 @@ +# +# $FreeBSD$ +# + +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm +.PATH: ${OPENBSMDIR}/bin/auditdistd + +# Addition of auditdistd because otherwise generated parse.c can't find +# auditdistd.h. This seems like a makefile non-feature. +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd + +NO_WFORMAT= + +PROG= auditdistd +SRCS= auditdistd.c +SRCS+= parse.y pjdlog.c +SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c proto_tls.c +SRCS+= receiver.c +SRCS+= sandbox.c sender.c subr.c +SRCS+= token.l trail.c +MAN= auditdistd.8 auditdistd.conf.5 + +DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL} +LDADD= -ll -lpthread -lutil +DPADD+= ${LIBCRYPTO} ${LIBSSL} +LDADD+= -lcrypto -lssl + +YFLAGS+=-v + +CLEANFILES=parse.c parse.h parse.output + +.include