From owner-freebsd-stable@FreeBSD.ORG Tue Dec 18 17:19:22 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E0B9C838 for ; Tue, 18 Dec 2012 17:19:22 +0000 (UTC) (envelope-from b.smeelen@ose.nl) Received: from mail.ose.nl (mail.ose.nl [212.178.134.164]) by mx1.freebsd.org (Postfix) with ESMTP id 3EA208FC0A for ; Tue, 18 Dec 2012 17:19:21 +0000 (UTC) X-Footer: b3NlLm5s Received: from localhost ([127.0.0.1]) by mail.ose.nl (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)) for freebsd-stable@freebsd.org; Tue, 18 Dec 2012 18:19:19 +0100 Message-ID: <50D0A597.8060207@ose.nl> Date: Tue, 18 Dec 2012 18:19:19 +0100 From: Bas Smeelen User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd) References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2012 17:19:22 -0000 On 12/18/12 16:18, Robert Watson wrote: > > Dear all: > > Just an FYI that the new distributed audit daemon has been MFC'd to > 9-STABLE. Thanks. > > As noted in UPDATING, you will need to run "mergemaster -p" before > using installkernel or installworld targets in order to add the new > "auditdistd" system user. This should be part of the regular update > cycle anyway, but after the experience of adding auditdistd in > 10-CURRENT, we've discovered that many people are skipping that step > in the update cycle, so I figured it best to point out here. > > (Technically, only installworld requires the user, but the user-check > guards in the system Makefiles are enforced for both targets.) Maybe /usr/src/UPDATING should be updated? The end of /usr/src/UPDATING mentiones mergemaster -p after the installtion of the new kernel and rebooting to single user mode instead of before. This is on 9.1-RELEASE and also in CURRENT. At least the entry in /usr/src/UPDATING on CURRENT for this change 20121201: With the addition of auditdistd(8), a new auditdistd user is now depended on during installworld. "mergemaster -p" can be used to add the user prior to installworld, as documented in the handbook. should be "prior to installkernel" then also instead of "prior to installworld" > > More details on the daemon below. > > Robert N M Watson > Computer Laboratory > University of Cambridge > > ---------- Forwarded message ---------- > Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT) > From: Robert Watson > To: current@FreeBSD.org > Cc: security@FreeBSD.org > Subject: Distributed audit daemon committed (was: svn commit: r243752 > - in head: > etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin > usr.sbin/auditdistd (fwd)) > > > Dear all: > > I've now committed the build glue required to install the recently > merged Audit Distribution Daemon (auditdistd) contributed by the Pawel > Dawidek, and sponsored by the FreeBSD Foundation. This allows > individual hosts generating audit trails to submit trails to a central > audit server for review and safe keeping. Part of the goal is to > ensure that a host submitting trail data can't later modify the > trails. Pawel uses a variety of useful security- and > resilience-related features such as TLS, Capsicum, etc, in > auditdistd. As the recent security incident in the FreeBSD.org > cluster illustrated, having reliable and detailed audit trails makes a > big difference in forensic work, and hopefully this will allow the > FreeBSD Project (and our users) to do that better in the future. > > Robert N M Watson > Computer Laboratory > University of Cambridge > > ---------- Forwarded message ---------- > Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC) > From: Robert Watson > To: src-committers@freebsd.org, svn-src-all@freebsd.org, > svn-src-head@freebsd.org > Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail > etc/mtree > etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd > > Author: rwatson > Date: Sat Dec 1 15:11:46 2012 > New Revision: 243752 > URL: http://svnweb.freebsd.org/changeset/base/243752 > > Log: > Merge a number of changes required to hook up OpenBSM 1.2-alpha2's > auditdistd (distributed audit daemon) to the build: > > - Manual cross references > - Makefile for auditdistd > - rc.d script, rc.conf entrie > - New group and user for auditdistd; associated aliases, etc. > > The audit trail distribution daemon provides reliable, > cryptographically protected (and sandboxed) delivery of audit tails > from live clients to audit server hosts in order to both allow > centralised analysis, and improve resilience in the event of client > compromises: clients are not permitted to change trail contents > after submission. > > Submitted by: pjd > Sponsored by: The FreeBSD Foundation (auditdistd) > > Added: > head/etc/rc.d/auditdistd (contents, props changed) > head/usr.sbin/auditdistd/ > head/usr.sbin/auditdistd/Makefile (contents, props changed) > Modified: > head/etc/defaults/rc.conf > head/etc/ftpusers > head/etc/mail/aliases > head/etc/master.passwd > head/etc/mtree/BSD.var.dist > head/etc/rc.d/Makefile > head/share/man/man4/audit.4 > head/usr.sbin/Makefile > > Modified: head/etc/defaults/rc.conf > ============================================================================== > > --- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012 (r243752) > @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newa > auditd_enable="NO" # Run the audit daemon. > auditd_program="/usr/sbin/auditd" # Path to the audit daemon. > auditd_flags="" # Which options to pass to the audit daemon. > +auditdistd_enable="NO" # Run the audit daemon. > +auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd > daemon. > +auditdistd_flags="" # Which options to pass to the auditdistd daemon. > cron_enable="YES" # Run the periodic job daemon. > cron_program="/usr/sbin/cron" # Which cron executable to run (if > enabled). > cron_dst="YES" # Handle DST transitions intelligently (YES/NO) > > Modified: head/etc/ftpusers > ============================================================================== > > --- head/etc/ftpusers Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/ftpusers Sat Dec 1 15:11:46 2012 (r243752) > @@ -19,6 +19,7 @@ _pflogd > _dhcp > uucp > pop > +auditdistd > www > hast > nobody > > Modified: head/etc/mail/aliases > ============================================================================== > > --- head/etc/mail/aliases Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012 (r243752) > @@ -26,6 +26,7 @@ postmaster: root > # General redirections for pseudo accounts > _dhcp: root > _pflogd: root > +auditdistd: root > bin: root > bind: root > daemon: root > > Modified: head/etc/master.passwd > ============================================================================== > > --- head/etc/master.passwd Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/master.passwd Sat Dec 1 15:11:46 2012 (r243752) > @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user > _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin > uucp:*:66:66::0:0:UUCP > pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico > pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin > +auditdistd:*:78:77::0:0:Auditdistd unprivileged > user:/var/empty:/usr/sbin/nologin > www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin > hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin > nobody:*:65534:65534::0:0:Unprivileged > user:/nonexistent:/usr/sbin/nologin > > Modified: head/etc/mtree/BSD.var.dist > ============================================================================== > > --- head/etc/mtree/BSD.var.dist Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/mtree/BSD.var.dist Sat Dec 1 15:11:46 2012 (r243752) > @@ -19,6 +19,10 @@ > /set gname=audit > audit > .. > + dist uname=auditdistd gname=audit mode=0770 > + .. > + remote uname=auditdistd gname=wheel mode=0700 > + .. > /set gname=wheel > backups > .. > > Modified: head/etc/rc.d/Makefile > ============================================================================== > > --- head/etc/rc.d/Makefile Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/rc.d/Makefile Sat Dec 1 15:11:46 2012 (r243752) > @@ -19,6 +19,7 @@ FILES= DAEMON \ > atm2 \ > atm3 \ > auditd \ > + auditdistd \ > bgfsck \ > bluetooth \ > bootparams \ > > Added: head/etc/rc.d/auditdistd > ============================================================================== > > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/etc/rc.d/auditdistd Sat Dec 1 15:11:46 2012 (r243752) > @@ -0,0 +1,21 @@ > +#!/bin/sh > +# > +# $FreeBSD$ > +# > + > +# PROVIDE: auditdistd > +# REQUIRE: auditd > +# BEFORE: DAEMON > +# KEYWORD: nojail shutdown > + > +. /etc/rc.subr > + > +name="auditdistd" > +rcvar="${name}_enable" > +pidfile="/var/run/${name}.pid" > +command="/usr/sbin/${name}" > +required_files="/etc/${name}.conf" > +extra_commands="reload" > + > +load_rc_config $name > +run_rc_command "$1" > > Modified: head/share/man/man4/audit.4 > ============================================================================== > > --- head/share/man/man4/audit.4 Sat Dec 1 13:46:37 2012 (r243751) > +++ head/share/man/man4/audit.4 Sat Dec 1 15:11:46 2012 (r243752) > @@ -96,7 +96,8 @@ to track users and events in a fine-grai > .Xr audit_warn 5 , > .Xr rc.conf 5 , > .Xr audit 8 , > -.Xr auditd 8 > +.Xr auditd 8 , > +.Xr auditdistd 8 > .Sh HISTORY > The > .Tn OpenBSM > > Modified: head/usr.sbin/Makefile > ============================================================================== > > --- head/usr.sbin/Makefile Sat Dec 1 13:46:37 2012 (r243751) > +++ head/usr.sbin/Makefile Sat Dec 1 15:11:46 2012 (r243752) > @@ -110,6 +110,9 @@ SUBDIR+= amd > .if ${MK_AUDIT} != "no" > SUBDIR+= audit > SUBDIR+= auditd > +.if ${MK_OPENSSL} != "no" > +SUBDIR+= auditdistd > +.endif > SUBDIR+= auditreduce > SUBDIR+= praudit > .endif > > Added: head/usr.sbin/auditdistd/Makefile > ============================================================================== > > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/usr.sbin/auditdistd/Makefile Sat Dec 1 15:11:46 2012 > (r243752) > @@ -0,0 +1,32 @@ > +# > +# $FreeBSD$ > +# > + > +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm > +.PATH: ${OPENBSMDIR}/bin/auditdistd > + > +# Addition of auditdistd because otherwise generated parse.c can't find > +# auditdistd.h. This seems like a makefile non-feature. > +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd > + > +NO_WFORMAT= > + > +PROG= auditdistd > +SRCS= auditdistd.c > +SRCS+= parse.y pjdlog.c > +SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c > proto_tls.c > +SRCS+= receiver.c > +SRCS+= sandbox.c sender.c subr.c > +SRCS+= token.l trail.c > +MAN= auditdistd.8 auditdistd.conf.5 > + > +DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL} > +LDADD= -ll -lpthread -lutil > +DPADD+= ${LIBCRYPTO} ${LIBSSL} > +LDADD+= -lcrypto -lssl > + > +YFLAGS+=-v > + > +CLEANFILES=parse.c parse.h parse.output > + > +.include