From owner-svn-ports-head@FreeBSD.ORG Fri Feb 15 03:06:00 2013 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 79E52AF3; Fri, 15 Feb 2013 03:06:00 +0000 (UTC) (envelope-from zi@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 6C5E2E12; Fri, 15 Feb 2013 03:06:00 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r1F360KY072941; Fri, 15 Feb 2013 03:06:00 GMT (envelope-from zi@svn.freebsd.org) Received: (from zi@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id r1F35xlT072925; Fri, 15 Feb 2013 03:05:59 GMT (envelope-from zi@svn.freebsd.org) Message-Id: <201302150305.r1F35xlT072925@svn.freebsd.org> From: Ryan Steinmetz Date: Fri, 15 Feb 2013 03:05:59 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r312271 - in head/security: . openbsm-devel openbsm-devel/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2013 03:06:00 -0000 Author: zi Date: Fri Feb 15 03:05:58 2013 New Revision: 312271 URL: http://svnweb.freebsd.org/changeset/ports/312271 Log: New port: security/openbsm-devel: OpenBSM is an open source implementation of Sun's Basic Security Module (BSM) Audit API and file format. BSM, the de facto industry standard for Audit, describes a set of system call and library interfaces for managing audit records, as well as a token stream file format that permits extensible and generalized audit trail processing. OpenBSM extends the BSM API and file format in a number of ways to support features present in the Mac OS X and FreeBSD operating systems, such as Mach task interfaces, sendfile(), and Linux system calls present in the FreeBSD Linux emulation layer. Added: head/security/openbsm-devel/ - copied from r312250, head/security/openbsm/ head/security/openbsm-devel/files/ head/security/openbsm-devel/files/auditdistd.in (contents, props changed) head/security/openbsm-devel/files/pkg-message.in (contents, props changed) Modified: head/security/Makefile head/security/openbsm-devel/Makefile (contents, props changed) head/security/openbsm-devel/distinfo (contents, props changed) head/security/openbsm-devel/pkg-plist (contents, props changed) Modified: head/security/Makefile ============================================================================== --- head/security/Makefile Fri Feb 15 02:58:24 2013 (r312270) +++ head/security/Makefile Fri Feb 15 03:05:58 2013 (r312271) @@ -344,6 +344,7 @@ SUBDIR += oinkmaster SUBDIR += op SUBDIR += openbsm + SUBDIR += openbsm-devel SUBDIR += opencdk SUBDIR += openconnect SUBDIR += opencryptoki Modified: head/security/openbsm-devel/Makefile ============================================================================== --- head/security/openbsm/Makefile Thu Feb 14 23:41:53 2013 (r312250) +++ head/security/openbsm-devel/Makefile Fri Feb 15 03:05:58 2013 (r312271) @@ -1,55 +1,58 @@ -# New ports collection makefile for: openbsm -# Date created: Jun 13 2006 -# Whom: Florent Thoumie -# +# Created by: Ryan Steinmetz # $FreeBSD$ -# PORTNAME= openbsm -DISTVERSION= 1.1-p2 +DISTVERSION= 1.2-alpha3 CATEGORIES= security -MASTER_SITES= http://www.trustedbsd.org/downloads/ -DISTNAME= openbsm-${DISTVERSION} +MASTER_SITES= http://www.trustedbsd.org/downloads/ \ + http://mirrors.rit.edu/zi/ +PKGNAMESUFFIX= -devel EXTRACT_SUFX= .tgz -MAINTAINER= flz@FreeBSD.org +MAINTAINER= zi@FreeBSD.org COMMENT= Open Source Basic Security Module (BSM) Audit Implementation +LICENSE= BSD +LICENSE_FILE= ${WRKSRC}/LICENSE + +CONFLICTS= openbsm-1.[0-9]* + GNU_CONFIGURE= yes USE_LDCONFIG= yes -MAN1= auditreduce.1 \ - praudit.1 -MAN2= audit.2 \ - auditctl.2 \ - auditon.2 \ - getaudit.2 \ - getauid.2 \ - setaudit.2 \ +USE_RC_SUBR= auditdistd +SUB_FILES= pkg-message +PLIST_SUB= USERS=${USERS} GROUPS=${GROUPS} + +USERS= auditdistd +GROUPS= audit + +VARAUDIT= /var/audit +MAN1= auditreduce.1 praudit.1 +MAN2= audit.2 auditctl.2 auditon.2 getaudit.2 getauid.2 setaudit.2 \ setauid.2 -MAN3= au_class.3 \ - au_control.3 \ - au_domain.3 \ - au_errno.3 \ - au_event.3 \ - au_fcntl_cmd.3 \ - au_free_token.3 \ - au_io.3 \ - au_mask.3 \ - au_open.3 \ - au_socket_type.3 \ - au_token.3 \ - au_user.3 \ - libauditd.3 \ - libbsm.3 -MAN5= audit.log.5 \ - audit_class.5 \ - audit_control.5 \ - audit_event.5 \ - audit_user.5 \ - audit_warn.5 -MAN8= auditfilterd.8 \ - audit.8 \ - auditd.8 +MAN3= au_class.3 au_control.3 au_domain.3 au_errno.3 au_event.3 \ + au_fcntl_cmd.3 au_free_token.3 au_io.3 au_mask.3 au_open.3 \ + au_socket_type.3 au_token.3 au_user.3 libauditd.3 libbsm.3 +MAN5= audit.log.5 auditdistd.conf.5 audit_class.5 audit_control.5 \ + audit_event.5 audit_user.5 audit_warn.5 +MAN8= auditfilterd.8 audit.8 auditd.8 auditdistd.8 + +.include + +.if ${OSVERSION} <= 800000 +IGNORE= requires FreeBSD 8.x or above +.endif + +.if ${OSVERSION} >= 1000000 +IGNORE= is not needed under FreeBSD 10.x or higher +.endif + +post-install: + @${MKDIR} -m 0770 ${VARAUDIT}/dist + @${MKDIR} -m 0700 ${VARAUDIT}/remote + @${CHOWN} ${USERS}:${GROUPS} ${VARAUDIT}/dist + @${CHOWN} ${USERS}:wheel ${VARAUDIT}/remote + @${CAT} ${PKGMESSAGE} -.include +.include Modified: head/security/openbsm-devel/distinfo ============================================================================== --- head/security/openbsm/distinfo Thu Feb 14 23:41:53 2013 (r312250) +++ head/security/openbsm-devel/distinfo Fri Feb 15 03:05:58 2013 (r312271) @@ -1,2 +1,2 @@ -SHA256 (openbsm-1.1-p2.tgz) = f3385a27d06ebb6a6c78e9ff9295d02129ad05a34b3283a7b35adf9ae8ee9eb3 -SIZE (openbsm-1.1-p2.tgz) = 546453 +SHA256 (openbsm-1.2-alpha3.tgz) = 88c9035e3c436b6ca5d19e9143bbc2c93b4a579da9e52fe10672cce51bd5a74e +SIZE (openbsm-1.2-alpha3.tgz) = 691013 Added: head/security/openbsm-devel/files/auditdistd.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openbsm-devel/files/auditdistd.in Fri Feb 15 03:05:58 2013 (r312271) @@ -0,0 +1,21 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: auditdistd +# REQUIRE: auditd +# BEFORE: DAEMON +# KEYWORD: nojail shutdown + +. /etc/rc.subr + +name="auditdistd" +rcvar="${name}_enable" +pidfile="/var/run/${name}.pid" +command="%%PREFIX%%/sbin/${name}" +required_files="/etc/security/${name}.conf" +extra_commands="reload" + +load_rc_config $name +run_rc_command "$1" Added: head/security/openbsm-devel/files/pkg-message.in ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openbsm-devel/files/pkg-message.in Fri Feb 15 03:05:58 2013 (r312271) @@ -0,0 +1,70 @@ +=============================================================================== + +Additional configuration is required if you wish to use auditdistd: + +On the receiver, perform the following: + +1. Generate a certificate: +# openssl req -x509 -nodes -newkey rsa:4096 -days 1825 -batch \ + -out /etc/security/auditdistd.cert.pem \ + -keyout /etc/security/auditdistd.key.pem +# chmod 0600 /etc/security/auditdistd.key.pem /etc/security/auditdistd.cert.pem +# chown root:wheel /etc/security/auditdistd.key.pem /etc/security/auditdistd.cert.pem + +2. Print out the public key's fingerprint: +# openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | \ + awk -F '[ =]' '{printf("%s=%s\n", $1, $3)}' +SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30... + +3. Generate a password used to authenticate both hosts against eachother: +# dd if=/dev/urandom bs=32 count=1 | openssl base64 | cut -b -32 +YjwbK69H5cEBlhcT+eJpJgJTFn5B2SrG + +4. Create /etc/security/auditdistd.conf configuration file: +receiver { + host " { + remote "tls://" + password "" + } +} + +5. Update permissions on the auditdistd configuration file: +# chmod 600 /etc/security/auditdistd.conf +# chown root:wheel /etc/security/auditdistd.conf + +6. Add the following to /etc/rc.conf: +auditdistd_enable="YES" + +7. Start auditdistd: +service auditdistd start + +=============================================================================== + +On the sender, perform the following: + +1. Ensure your kernel is compiled with: +options AUDIT + +2. Add the following to /etc/rc.conf: +auditd_enable="YES" +auditd_program="%%PREFIX%%/sbin/auditd" +auditdistd_enable="YES" + +3. Add the following to /etc/security/audit_control: +dist:on + +4. Create /etc/security/auditdistd.conf configuration file: +sender { + host "" { + remote "tls://" + fingerprint "SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:..." + password "" + } +} + +4. Start the required daemons: +service auditd start && service auditdistd start + +Additional information regarding auditdistd may be found on the OpenBSM wiki: +https://wiki.freebsd.org/auditdistd +=============================================================================== Modified: head/security/openbsm-devel/pkg-plist ============================================================================== --- head/security/openbsm/pkg-plist Thu Feb 14 23:41:53 2013 (r312250) +++ head/security/openbsm-devel/pkg-plist Fri Feb 15 03:05:58 2013 (r312271) @@ -24,7 +24,15 @@ lib/libbsm.so lib/libbsm.so.0 sbin/audit sbin/auditd +sbin/auditdistd sbin/auditfilterd sbin/auditreduce sbin/praudit @dirrm include/bsm +@cwd / +@exec mkdir -m 0770 var/audit/dist +@exec mkdir -m 0700 var/audit/remote +@exec chown %%USERS%%:%%GROUPS var/audit/dist +@exec chown %%USERS%%:wheel var/audit/remote +@unexec rmdir var/audit/dist 2>/dev/null || true +@unexec rmdir var/audit/remote 2>/dev/null || true