Date: Tue, 18 Dec 2012 15:18:43 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: stable@FreeBSD.org Subject: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd) Message-ID: <alpine.BSF.2.00.1212181516250.99201@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
Dear all:
Just an FYI that the new distributed audit daemon has been MFC'd to 9-STABLE.
As noted in UPDATING, you will need to run "mergemaster -p" before using
installkernel or installworld targets in order to add the new "auditdistd"
system user. This should be part of the regular update cycle anyway, but
after the experience of adding auditdistd in 10-CURRENT, we've discovered that
many people are skipping that step in the update cycle, so I figured it best
to point out here.
(Technically, only installworld requires the user, but the user-check guards
in the system Makefiles are enforced for both targets.)
More details on the daemon below.
Robert N M Watson
Computer Laboratory
University of Cambridge
---------- Forwarded message ----------
Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
To: current@FreeBSD.org
Cc: security@FreeBSD.org
Subject: Distributed audit daemon committed (was: svn commit: r243752 - in head:
etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
usr.sbin/auditdistd (fwd))
Dear all:
I've now committed the build glue required to install the recently merged Audit
Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and
sponsored by the FreeBSD Foundation. This allows individual hosts generating
audit trails to submit trails to a central audit server for review and safe
keeping. Part of the goal is to ensure that a host submitting trail data can't
later modify the trails. Pawel uses a variety of useful security- and
resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the
recent security incident in the FreeBSD.org cluster illustrated, having
reliable and detailed audit trails makes a big difference in forensic work, and
hopefully this will allow the FreeBSD Project (and our users) to do that better
in the future.
Robert N M Watson
Computer Laboratory
University of Cambridge
---------- Forwarded message ----------
Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
From: Robert Watson <rwatson@FreeBSD.org>
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
svn-src-head@freebsd.org
Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree
etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd
Author: rwatson
Date: Sat Dec 1 15:11:46 2012
New Revision: 243752
URL: http://svnweb.freebsd.org/changeset/base/243752
Log:
Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
auditdistd (distributed audit daemon) to the build:
- Manual cross references
- Makefile for auditdistd
- rc.d script, rc.conf entrie
- New group and user for auditdistd; associated aliases, etc.
The audit trail distribution daemon provides reliable,
cryptographically protected (and sandboxed) delivery of audit tails
from live clients to audit server hosts in order to both allow
centralised analysis, and improve resilience in the event of client
compromises: clients are not permitted to change trail contents
after submission.
Submitted by: pjd
Sponsored by: The FreeBSD Foundation (auditdistd)
Added:
head/etc/rc.d/auditdistd (contents, props changed)
head/usr.sbin/auditdistd/
head/usr.sbin/auditdistd/Makefile (contents, props changed)
Modified:
head/etc/defaults/rc.conf
head/etc/ftpusers
head/etc/mail/aliases
head/etc/master.passwd
head/etc/mtree/BSD.var.dist
head/etc/rc.d/Makefile
head/share/man/man4/audit.4
head/usr.sbin/Makefile
Modified: head/etc/defaults/rc.conf
==============================================================================
--- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012 (r243751)
+++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012 (r243752)
@@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newa
auditd_enable="NO" # Run the audit daemon.
auditd_program="/usr/sbin/auditd" # Path to the audit daemon.
auditd_flags="" # Which options to pass to the audit daemon.
+auditdistd_enable="NO" # Run the audit daemon.
+auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd
daemon.
+auditdistd_flags="" # Which options to pass to the auditdistd daemon.
cron_enable="YES" # Run the periodic job daemon.
cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled).
cron_dst="YES" # Handle DST transitions intelligently (YES/NO)
Modified: head/etc/ftpusers
==============================================================================
--- head/etc/ftpusers Sat Dec 1 13:46:37 2012 (r243751)
+++ head/etc/ftpusers Sat Dec 1 15:11:46 2012 (r243752)
@@ -19,6 +19,7 @@ _pflogd
_dhcp
uucp
pop
+auditdistd
www
hast
nobody
Modified: head/etc/mail/aliases
==============================================================================
--- head/etc/mail/aliases Sat Dec 1 13:46:37 2012 (r243751)
+++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012 (r243752)
@@ -26,6 +26,7 @@ postmaster: root
# General redirections for pseudo accounts
_dhcp: root
_pflogd: root
+auditdistd: root
bin: root
bind: root
daemon: root
Modified: head/etc/master.passwd
==============================================================================
--- head/etc/master.passwd Sat Dec 1 13:46:37 2012 (r243751)
+++ head/etc/master.passwd Sat Dec 1 15:11:46 2012 (r243752)
@@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
+auditdistd:*:78:77::0:0:Auditdistd unprivileged
user:/var/empty:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
Modified: head/etc/mtree/BSD.var.dist
==============================================================================
--- head/etc/mtree/BSD.var.dist Sat Dec 1 13:46:37 2012 (r243751)
+++ head/etc/mtree/BSD.var.dist Sat Dec 1 15:11:46 2012 (r243752)
@@ -19,6 +19,10 @@
/set gname=audit
audit
..
+ dist uname=auditdistd gname=audit mode=0770
+ ..
+ remote uname=auditdistd gname=wheel mode=0700
+ ..
/set gname=wheel
backups
..
Modified: head/etc/rc.d/Makefile
==============================================================================
--- head/etc/rc.d/Makefile Sat Dec 1 13:46:37 2012 (r243751)
+++ head/etc/rc.d/Makefile Sat Dec 1 15:11:46 2012 (r243752)
@@ -19,6 +19,7 @@ FILES= DAEMON \
atm2 \
atm3 \
auditd \
+ auditdistd \
bgfsck \
bluetooth \
bootparams \
Added: head/etc/rc.d/auditdistd
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/etc/rc.d/auditdistd Sat Dec 1 15:11:46 2012 (r243752)
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: auditdistd
+# REQUIRE: auditd
+# BEFORE: DAEMON
+# KEYWORD: nojail shutdown
+
+. /etc/rc.subr
+
+name="auditdistd"
+rcvar="${name}_enable"
+pidfile="/var/run/${name}.pid"
+command="/usr/sbin/${name}"
+required_files="/etc/${name}.conf"
+extra_commands="reload"
+
+load_rc_config $name
+run_rc_command "$1"
Modified: head/share/man/man4/audit.4
==============================================================================
--- head/share/man/man4/audit.4 Sat Dec 1 13:46:37 2012 (r243751)
+++ head/share/man/man4/audit.4 Sat Dec 1 15:11:46 2012 (r243752)
@@ -96,7 +96,8 @@ to track users and events in a fine-grai
.Xr audit_warn 5 ,
.Xr rc.conf 5 ,
.Xr audit 8 ,
-.Xr auditd 8
+.Xr auditd 8 ,
+.Xr auditdistd 8
.Sh HISTORY
The
.Tn OpenBSM
Modified: head/usr.sbin/Makefile
==============================================================================
--- head/usr.sbin/Makefile Sat Dec 1 13:46:37 2012 (r243751)
+++ head/usr.sbin/Makefile Sat Dec 1 15:11:46 2012 (r243752)
@@ -110,6 +110,9 @@ SUBDIR+= amd
.if ${MK_AUDIT} != "no"
SUBDIR+= audit
SUBDIR+= auditd
+.if ${MK_OPENSSL} != "no"
+SUBDIR+= auditdistd
+.endif
SUBDIR+= auditreduce
SUBDIR+= praudit
.endif
Added: head/usr.sbin/auditdistd/Makefile
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/usr.sbin/auditdistd/Makefile Sat Dec 1 15:11:46 2012
(r243752)
@@ -0,0 +1,32 @@
+#
+# $FreeBSD$
+#
+
+OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
+.PATH: ${OPENBSMDIR}/bin/auditdistd
+
+# Addition of auditdistd because otherwise generated parse.c can't find
+# auditdistd.h. This seems like a makefile non-feature.
+CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
+
+NO_WFORMAT=
+
+PROG= auditdistd
+SRCS= auditdistd.c
+SRCS+= parse.y pjdlog.c
+SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c proto_tls.c
+SRCS+= receiver.c
+SRCS+= sandbox.c sender.c subr.c
+SRCS+= token.l trail.c
+MAN= auditdistd.8 auditdistd.conf.5
+
+DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL}
+LDADD= -ll -lpthread -lutil
+DPADD+= ${LIBCRYPTO} ${LIBSSL}
+LDADD+= -lcrypto -lssl
+
+YFLAGS+=-v
+
+CLEANFILES=parse.c parse.h parse.output
+
+.include <bsd.prog.mk>
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1212181516250.99201>