Date: Tue, 18 Dec 2012 09:44:50 -0800 (PST) From: "Chris H" <chris#@1command.com> To: "Bas Smeelen" <b.smeelen@ose.nl> Cc: freebsd-stable@freebsd.org Subject: Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd) Message-ID: <5d92ea55e46049afb64e080477438253.authenticated@ultimatedns.net> In-Reply-To: <50D0A597.8060207@ose.nl> References: <alpine.BSF.2.00.1212181516250.99201@fledge.watson.org> <50D0A597.8060207@ose.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 12/18/12 16:18, Robert Watson wrote: >> >> Dear all: >> >> Just an FYI that the new distributed audit daemon has been MFC'd to >> 9-STABLE. > > Thanks. > >> >> As noted in UPDATING, you will need to run "mergemaster -p" before >> using installkernel or installworld targets in order to add the new >> "auditdistd" system user. This should be part of the regular update >> cycle anyway, but after the experience of adding auditdistd in >> 10-CURRENT, we've discovered that many people are skipping that step >> in the update cycle, so I figured it best to point out here. >> >> (Technically, only installworld requires the user, but the user-check >> guards in the system Makefiles are enforced for both targets.) > > Maybe /usr/src/UPDATING should be updated? > The end of /usr/src/UPDATING mentiones mergemaster -p after the > installtion of the new kernel and rebooting to single user mode instead > of before. This is on 9.1-RELEASE and also in CURRENT. > > At least the entry in /usr/src/UPDATING on CURRENT for this change > > 20121201: > With the addition of auditdistd(8), a new auditdistd user is now > depended on during installworld. "mergemaster -p" can be used > to add > the user prior to installworld, as documented in the handbook. > > should be "prior to installkernel" then also instead of "prior to > installworld" Greetings, FWIW, I just performed an build(world||kernel) && install(world||kernel) yesterday. I used the following: cd /usr/src make buildworld make buildkernel KERNCONF=<mykern_name_here> make install KERNCONF=<mykern_name_here> reboot to single user... mount -u / mount -a cd /usr/src mergemaster -p blah,blah,blah... make installworld mergemaster reboot All of the auditdistd bits were merged into my system, and all is well. Isn't that the way Updating lists the "correct" order? Anyway, that's how I understood it, and just wanted to report that it all worked as expected/anticipated. HTH, and best wishes. --Chris > > >> >> More details on the daemon below. >> >> Robert N M Watson >> Computer Laboratory >> University of Cambridge >> >> ---------- Forwarded message ---------- >> Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT) >> From: Robert Watson <rwatson@FreeBSD.org> >> To: current@FreeBSD.org >> Cc: security@FreeBSD.org >> Subject: Distributed audit daemon committed (was: svn commit: r243752 >> - in head: >> etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin >> usr.sbin/auditdistd (fwd)) >> >> >> Dear all: >> >> I've now committed the build glue required to install the recently >> merged Audit Distribution Daemon (auditdistd) contributed by the Pawel >> Dawidek, and sponsored by the FreeBSD Foundation. This allows >> individual hosts generating audit trails to submit trails to a central >> audit server for review and safe keeping. Part of the goal is to >> ensure that a host submitting trail data can't later modify the >> trails. Pawel uses a variety of useful security- and >> resilience-related features such as TLS, Capsicum, etc, in >> auditdistd. As the recent security incident in the FreeBSD.org >> cluster illustrated, having reliable and detailed audit trails makes a >> big difference in forensic work, and hopefully this will allow the >> FreeBSD Project (and our users) to do that better in the future. >> >> Robert N M Watson >> Computer Laboratory >> University of Cambridge >> >> ---------- Forwarded message ---------- >> Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC) >> From: Robert Watson <rwatson@FreeBSD.org> >> To: src-committers@freebsd.org, svn-src-all@freebsd.org, >> svn-src-head@freebsd.org >> Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail >> etc/mtree >> etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd >> >> Author: rwatson >> Date: Sat Dec 1 15:11:46 2012 >> New Revision: 243752 >> URL: http://svnweb.freebsd.org/changeset/base/243752 >> >> Log: >> Merge a number of changes required to hook up OpenBSM 1.2-alpha2's >> auditdistd (distributed audit daemon) to the build: >> >> - Manual cross references >> - Makefile for auditdistd >> - rc.d script, rc.conf entrie >> - New group and user for auditdistd; associated aliases, etc. >> >> The audit trail distribution daemon provides reliable, >> cryptographically protected (and sandboxed) delivery of audit tails >> from live clients to audit server hosts in order to both allow >> centralised analysis, and improve resilience in the event of client >> compromises: clients are not permitted to change trail contents >> after submission. >> >> Submitted by: pjd >> Sponsored by: The FreeBSD Foundation (auditdistd) >> >> Added: >> head/etc/rc.d/auditdistd (contents, props changed) >> head/usr.sbin/auditdistd/ >> head/usr.sbin/auditdistd/Makefile (contents, props changed) >> Modified: >> head/etc/defaults/rc.conf >> head/etc/ftpusers >> head/etc/mail/aliases >> head/etc/master.passwd >> head/etc/mtree/BSD.var.dist >> head/etc/rc.d/Makefile >> head/share/man/man4/audit.4 >> head/usr.sbin/Makefile >> >> Modified: head/etc/defaults/rc.conf >> ============================================================================== >> >> --- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012 (r243752) >> @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newa >> auditd_enable="NO" # Run the audit daemon. >> auditd_program="/usr/sbin/auditd" # Path to the audit daemon. >> auditd_flags="" # Which options to pass to the audit daemon. >> +auditdistd_enable="NO" # Run the audit daemon. >> +auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd >> daemon. >> +auditdistd_flags="" # Which options to pass to the auditdistd daemon. >> cron_enable="YES" # Run the periodic job daemon. >> cron_program="/usr/sbin/cron" # Which cron executable to run (if >> enabled). >> cron_dst="YES" # Handle DST transitions intelligently (YES/NO) >> >> Modified: head/etc/ftpusers >> ============================================================================== >> >> --- head/etc/ftpusers Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/etc/ftpusers Sat Dec 1 15:11:46 2012 (r243752) >> @@ -19,6 +19,7 @@ _pflogd >> _dhcp >> uucp >> pop >> +auditdistd >> www >> hast >> nobody >> >> Modified: head/etc/mail/aliases >> ============================================================================== >> >> --- head/etc/mail/aliases Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012 (r243752) >> @@ -26,6 +26,7 @@ postmaster: root >> # General redirections for pseudo accounts >> _dhcp: root >> _pflogd: root >> +auditdistd: root >> bin: root >> bind: root >> daemon: root >> >> Modified: head/etc/master.passwd >> ============================================================================== >> >> --- head/etc/master.passwd Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/etc/master.passwd Sat Dec 1 15:11:46 2012 (r243752) >> @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user >> _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin >> uucp:*:66:66::0:0:UUCP >> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico >> pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin >> +auditdistd:*:78:77::0:0:Auditdistd unprivileged >> user:/var/empty:/usr/sbin/nologin >> www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin >> hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin >> nobody:*:65534:65534::0:0:Unprivileged >> user:/nonexistent:/usr/sbin/nologin >> >> Modified: head/etc/mtree/BSD.var.dist >> ============================================================================== >> >> --- head/etc/mtree/BSD.var.dist Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/etc/mtree/BSD.var.dist Sat Dec 1 15:11:46 2012 (r243752) >> @@ -19,6 +19,10 @@ >> /set gname=audit >> audit >> .. >> + dist uname=auditdistd gname=audit mode=0770 >> + .. >> + remote uname=auditdistd gname=wheel mode=0700 >> + .. >> /set gname=wheel >> backups >> .. >> >> Modified: head/etc/rc.d/Makefile >> ============================================================================== >> >> --- head/etc/rc.d/Makefile Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/etc/rc.d/Makefile Sat Dec 1 15:11:46 2012 (r243752) >> @@ -19,6 +19,7 @@ FILES= DAEMON \ >> atm2 \ >> atm3 \ >> auditd \ >> + auditdistd \ >> bgfsck \ >> bluetooth \ >> bootparams \ >> >> Added: head/etc/rc.d/auditdistd >> ============================================================================== >> >> --- /dev/null 00:00:00 1970 (empty, because file is newly added) >> +++ head/etc/rc.d/auditdistd Sat Dec 1 15:11:46 2012 (r243752) >> @@ -0,0 +1,21 @@ >> +#!/bin/sh >> +# >> +# $FreeBSD$ >> +# >> + >> +# PROVIDE: auditdistd >> +# REQUIRE: auditd >> +# BEFORE: DAEMON >> +# KEYWORD: nojail shutdown >> + >> +. /etc/rc.subr >> + >> +name="auditdistd" >> +rcvar="${name}_enable" >> +pidfile="/var/run/${name}.pid" >> +command="/usr/sbin/${name}" >> +required_files="/etc/${name}.conf" >> +extra_commands="reload" >> + >> +load_rc_config $name >> +run_rc_command "$1" >> >> Modified: head/share/man/man4/audit.4 >> ============================================================================== >> >> --- head/share/man/man4/audit.4 Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/share/man/man4/audit.4 Sat Dec 1 15:11:46 2012 (r243752) >> @@ -96,7 +96,8 @@ to track users and events in a fine-grai >> .Xr audit_warn 5 , >> .Xr rc.conf 5 , >> .Xr audit 8 , >> -.Xr auditd 8 >> +.Xr auditd 8 , >> +.Xr auditdistd 8 >> .Sh HISTORY >> The >> .Tn OpenBSM >> >> Modified: head/usr.sbin/Makefile >> ============================================================================== >> >> --- head/usr.sbin/Makefile Sat Dec 1 13:46:37 2012 (r243751) >> +++ head/usr.sbin/Makefile Sat Dec 1 15:11:46 2012 (r243752) >> @@ -110,6 +110,9 @@ SUBDIR+= amd >> .if ${MK_AUDIT} != "no" >> SUBDIR+= audit >> SUBDIR+= auditd >> +.if ${MK_OPENSSL} != "no" >> +SUBDIR+= auditdistd >> +.endif >> SUBDIR+= auditreduce >> SUBDIR+= praudit >> .endif >> >> Added: head/usr.sbin/auditdistd/Makefile >> ============================================================================== >> >> --- /dev/null 00:00:00 1970 (empty, because file is newly added) >> +++ head/usr.sbin/auditdistd/Makefile Sat Dec 1 15:11:46 2012 >> (r243752) >> @@ -0,0 +1,32 @@ >> +# >> +# $FreeBSD$ >> +# >> + >> +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm >> +.PATH: ${OPENBSMDIR}/bin/auditdistd >> + >> +# Addition of auditdistd because otherwise generated parse.c can't find >> +# auditdistd.h. This seems like a makefile non-feature. >> +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd >> + >> +NO_WFORMAT= >> + >> +PROG= auditdistd >> +SRCS= auditdistd.c >> +SRCS+= parse.y pjdlog.c >> +SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c >> proto_tls.c >> +SRCS+= receiver.c >> +SRCS+= sandbox.c sender.c subr.c >> +SRCS+= token.l trail.c >> +MAN= auditdistd.8 auditdistd.conf.5 >> + >> +DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL} >> +LDADD= -ll -lpthread -lutil >> +DPADD+= ${LIBCRYPTO} ${LIBSSL} >> +LDADD+= -lcrypto -lssl >> + >> +YFLAGS+=-v >> + >> +CLEANFILES=parse.c parse.h parse.output >> + >> +.include <bsd.prog.mk> > > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -- -- Successful builds are performed thusly: make -DWITHOUT_CLANG buildworld subversion; an inferior RCS created so Windows users wouldn't feel left out.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d92ea55e46049afb64e080477438253.authenticated>