Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 18 Dec 2012 09:44:50 -0800 (PST)
From:      "Chris H" <chris#@1command.com>
To:        "Bas Smeelen" <b.smeelen@ose.nl>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: MFC: Distributed audit daemon committed (was: svn commit:  r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d  share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
Message-ID:  <5d92ea55e46049afb64e080477438253.authenticated@ultimatedns.net>
In-Reply-To: <50D0A597.8060207@ose.nl>
References:  <alpine.BSF.2.00.1212181516250.99201@fledge.watson.org> <50D0A597.8060207@ose.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
> On 12/18/12 16:18, Robert Watson wrote:
>>
>> Dear all:
>>
>> Just an FYI that the new distributed audit daemon has been MFC'd to
>> 9-STABLE.
>
> Thanks.
>
>>
>> As noted in UPDATING, you will need to run "mergemaster -p" before
>> using installkernel or installworld targets in order to add the new
>> "auditdistd" system user.  This should be part of the regular update
>> cycle anyway, but after the experience of adding auditdistd in
>> 10-CURRENT, we've discovered that many people are skipping that step
>> in the update cycle, so I figured it best to point out here.
>>
>> (Technically, only installworld requires the user, but the user-check
>> guards in the system Makefiles are enforced for both targets.)
>
> Maybe /usr/src/UPDATING should be updated?
> The end of /usr/src/UPDATING mentiones mergemaster -p after the
> installtion of the new kernel and rebooting to single user mode instead
> of before. This is on 9.1-RELEASE and also in CURRENT.
>
> At least the entry in /usr/src/UPDATING on CURRENT for this change
>
> 20121201:
>          With the addition of auditdistd(8), a new auditdistd user is now
>          depended on during installworld.  "mergemaster -p" can be used
> to add
>          the user prior to installworld, as documented in the handbook.
>
> should be "prior to installkernel" then also instead of "prior to
> installworld"

Greetings,
 FWIW, I just performed an build(world||kernel) && install(world||kernel) yesterday.
I used the following:

cd /usr/src

make buildworld
make buildkernel KERNCONF=<mykern_name_here>
make install KERNCONF=<mykern_name_here>

reboot to single user...

mount -u /
mount -a

cd /usr/src
mergemaster -p
blah,blah,blah...
make installworld
mergemaster
reboot

All of the auditdistd bits were merged into my system, and all is well.
Isn't that the way Updating lists the "correct" order?
Anyway, that's how I understood it, and just wanted to report that it
all worked as expected/anticipated.

HTH, and best wishes.

--Chris


>
>
>>
>> More details on the daemon below.
>>
>> Robert N M Watson
>> Computer Laboratory
>> University of Cambridge
>>
>> ---------- Forwarded message ----------
>> Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
>> From: Robert Watson <rwatson@FreeBSD.org>
>> To: current@FreeBSD.org
>> Cc: security@FreeBSD.org
>> Subject: Distributed audit daemon committed (was: svn commit: r243752
>> - in head:
>>      etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
>>     usr.sbin/auditdistd (fwd))
>>
>>
>> Dear all:
>>
>> I've now committed the build glue required to install the recently
>> merged Audit Distribution Daemon (auditdistd) contributed by the Pawel
>> Dawidek, and sponsored by the FreeBSD Foundation.  This allows
>> individual hosts generating audit trails to submit trails to a central
>> audit server for review and safe keeping.  Part of the goal is to
>> ensure that a host submitting trail data can't later modify the
>> trails.  Pawel uses a variety of useful security- and
>> resilience-related features such as TLS, Capsicum, etc, in
>> auditdistd.  As the recent security incident in the FreeBSD.org
>> cluster illustrated, having reliable and detailed audit trails makes a
>> big difference in forensic work, and hopefully this will allow the
>> FreeBSD Project (and our users) to do that better in the future.
>>
>> Robert N M Watson
>> Computer Laboratory
>> University of Cambridge
>>
>> ---------- Forwarded message ----------
>> Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
>> From: Robert Watson <rwatson@FreeBSD.org>
>> To: src-committers@freebsd.org, svn-src-all@freebsd.org,
>>     svn-src-head@freebsd.org
>> Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail
>> etc/mtree
>>     etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd
>>
>> Author: rwatson
>> Date: Sat Dec  1 15:11:46 2012
>> New Revision: 243752
>> URL: http://svnweb.freebsd.org/changeset/base/243752
>>
>> Log:
>>   Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
>>   auditdistd (distributed audit daemon) to the build:
>>
>>   - Manual cross references
>>   - Makefile for auditdistd
>>   - rc.d script, rc.conf entrie
>>   - New group and user for auditdistd; associated aliases, etc.
>>
>>   The audit trail distribution daemon provides reliable,
>>   cryptographically protected (and sandboxed) delivery of audit tails
>>   from live clients to audit server hosts in order to both allow
>>   centralised analysis, and improve resilience in the event of client
>>   compromises: clients are not permitted to change trail contents
>>   after submission.
>>
>>   Submitted by:    pjd
>>   Sponsored by:    The FreeBSD Foundation (auditdistd)
>>
>> Added:
>>   head/etc/rc.d/auditdistd   (contents, props changed)
>>   head/usr.sbin/auditdistd/
>>   head/usr.sbin/auditdistd/Makefile   (contents, props changed)
>> Modified:
>>   head/etc/defaults/rc.conf
>>   head/etc/ftpusers
>>   head/etc/mail/aliases
>>   head/etc/master.passwd
>>   head/etc/mtree/BSD.var.dist
>>   head/etc/rc.d/Makefile
>>   head/share/man/man4/audit.4
>>   head/usr.sbin/Makefile
>>
>> Modified: head/etc/defaults/rc.conf
>> ==============================================================================
>>
>> --- head/etc/defaults/rc.conf    Sat Dec  1 13:46:37 2012 (r243751)
>> +++ head/etc/defaults/rc.conf    Sat Dec  1 15:11:46 2012 (r243752)
>> @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO"    # Run newa
>>  auditd_enable="NO"    # Run the audit daemon.
>>  auditd_program="/usr/sbin/auditd"    # Path to the audit daemon.
>>  auditd_flags=""        # Which options to pass to the audit daemon.
>> +auditdistd_enable="NO"    # Run the audit daemon.
>> +auditdistd_program="/usr/sbin/auditdistd"    # Path to the auditdistd
>> daemon.
>> +auditdistd_flags=""    # Which options to pass to the auditdistd daemon.
>>  cron_enable="YES"    # Run the periodic job daemon.
>>  cron_program="/usr/sbin/cron"    # Which cron executable to run (if
>> enabled).
>>  cron_dst="YES"        # Handle DST transitions intelligently (YES/NO)
>>
>> Modified: head/etc/ftpusers
>> ==============================================================================
>>
>> --- head/etc/ftpusers    Sat Dec  1 13:46:37 2012    (r243751)
>> +++ head/etc/ftpusers    Sat Dec  1 15:11:46 2012    (r243752)
>> @@ -19,6 +19,7 @@ _pflogd
>>  _dhcp
>>  uucp
>>  pop
>> +auditdistd
>>  www
>>  hast
>>  nobody
>>
>> Modified: head/etc/mail/aliases
>> ==============================================================================
>>
>> --- head/etc/mail/aliases    Sat Dec  1 13:46:37 2012    (r243751)
>> +++ head/etc/mail/aliases    Sat Dec  1 15:11:46 2012    (r243752)
>> @@ -26,6 +26,7 @@ postmaster: root
>>  # General redirections for pseudo accounts
>>  _dhcp:    root
>>  _pflogd: root
>> +auditdistd:    root
>>  bin:    root
>>  bind:    root
>>  daemon:    root
>>
>> Modified: head/etc/master.passwd
>> ==============================================================================
>>
>> --- head/etc/master.passwd    Sat Dec  1 13:46:37 2012 (r243751)
>> +++ head/etc/master.passwd    Sat Dec  1 15:11:46 2012 (r243752)
>> @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
>>  _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
>>  uucp:*:66:66::0:0:UUCP
>> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
>>  pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
>> +auditdistd:*:78:77::0:0:Auditdistd unprivileged
>> user:/var/empty:/usr/sbin/nologin
>>  www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
>>  hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
>>  nobody:*:65534:65534::0:0:Unprivileged
>> user:/nonexistent:/usr/sbin/nologin
>>
>> Modified: head/etc/mtree/BSD.var.dist
>> ==============================================================================
>>
>> --- head/etc/mtree/BSD.var.dist    Sat Dec  1 13:46:37 2012 (r243751)
>> +++ head/etc/mtree/BSD.var.dist    Sat Dec  1 15:11:46 2012 (r243752)
>> @@ -19,6 +19,10 @@
>>  /set gname=audit
>>      audit
>>      ..
>> +        dist            uname=auditdistd gname=audit mode=0770
>> +        ..
>> +        remote          uname=auditdistd gname=wheel mode=0700
>> +        ..
>>  /set gname=wheel
>>      backups
>>      ..
>>
>> Modified: head/etc/rc.d/Makefile
>> ==============================================================================
>>
>> --- head/etc/rc.d/Makefile    Sat Dec  1 13:46:37 2012 (r243751)
>> +++ head/etc/rc.d/Makefile    Sat Dec  1 15:11:46 2012 (r243752)
>> @@ -19,6 +19,7 @@ FILES=    DAEMON \
>>      atm2 \
>>      atm3 \
>>      auditd \
>> +    auditdistd \
>>      bgfsck \
>>      bluetooth \
>>      bootparams \
>>
>> Added: head/etc/rc.d/auditdistd
>> ==============================================================================
>>
>> --- /dev/null    00:00:00 1970    (empty, because file is newly added)
>> +++ head/etc/rc.d/auditdistd    Sat Dec  1 15:11:46 2012 (r243752)
>> @@ -0,0 +1,21 @@
>> +#!/bin/sh
>> +#
>> +# $FreeBSD$
>> +#
>> +
>> +# PROVIDE: auditdistd
>> +# REQUIRE: auditd
>> +# BEFORE:  DAEMON
>> +# KEYWORD: nojail shutdown
>> +
>> +. /etc/rc.subr
>> +
>> +name="auditdistd"
>> +rcvar="${name}_enable"
>> +pidfile="/var/run/${name}.pid"
>> +command="/usr/sbin/${name}"
>> +required_files="/etc/${name}.conf"
>> +extra_commands="reload"
>> +
>> +load_rc_config $name
>> +run_rc_command "$1"
>>
>> Modified: head/share/man/man4/audit.4
>> ==============================================================================
>>
>> --- head/share/man/man4/audit.4    Sat Dec  1 13:46:37 2012 (r243751)
>> +++ head/share/man/man4/audit.4    Sat Dec  1 15:11:46 2012 (r243752)
>> @@ -96,7 +96,8 @@ to track users and events in a fine-grai
>>  .Xr audit_warn 5 ,
>>  .Xr rc.conf 5 ,
>>  .Xr audit 8 ,
>> -.Xr auditd 8
>> +.Xr auditd 8 ,
>> +.Xr auditdistd 8
>>  .Sh HISTORY
>>  The
>>  .Tn OpenBSM
>>
>> Modified: head/usr.sbin/Makefile
>> ==============================================================================
>>
>> --- head/usr.sbin/Makefile    Sat Dec  1 13:46:37 2012 (r243751)
>> +++ head/usr.sbin/Makefile    Sat Dec  1 15:11:46 2012 (r243752)
>> @@ -110,6 +110,9 @@ SUBDIR+=    amd
>>  .if ${MK_AUDIT} != "no"
>>  SUBDIR+=    audit
>>  SUBDIR+=    auditd
>> +.if ${MK_OPENSSL} != "no"
>> +SUBDIR+=    auditdistd
>> +.endif
>>  SUBDIR+=    auditreduce
>>  SUBDIR+=    praudit
>>  .endif
>>
>> Added: head/usr.sbin/auditdistd/Makefile
>> ==============================================================================
>>
>> --- /dev/null    00:00:00 1970    (empty, because file is newly added)
>> +++ head/usr.sbin/auditdistd/Makefile    Sat Dec  1 15:11:46 2012
>> (r243752)
>> @@ -0,0 +1,32 @@
>> +#
>> +# $FreeBSD$
>> +#
>> +
>> +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
>> +.PATH: ${OPENBSMDIR}/bin/auditdistd
>> +
>> +# Addition of auditdistd because otherwise generated parse.c can't find
>> +# auditdistd.h.  This seems like a makefile non-feature.
>> +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
>> +
>> +NO_WFORMAT=
>> +
>> +PROG=    auditdistd
>> +SRCS=    auditdistd.c
>> +SRCS+=    parse.y pjdlog.c
>> +SRCS+=    proto.c proto_common.c proto_socketpair.c proto_tcp.c
>> proto_tls.c
>> +SRCS+=    receiver.c
>> +SRCS+=    sandbox.c sender.c subr.c
>> +SRCS+=    token.l trail.c
>> +MAN=    auditdistd.8 auditdistd.conf.5
>> +
>> +DPADD=    ${LIBL} ${LIBPTHREAD} ${LIBUTIL}
>> +LDADD=    -ll -lpthread -lutil
>> +DPADD+=    ${LIBCRYPTO} ${LIBSSL}
>> +LDADD+=    -lcrypto -lssl
>> +
>> +YFLAGS+=-v
>> +
>> +CLEANFILES=parse.c parse.h parse.output
>> +
>> +.include <bsd.prog.mk>
>
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>


-- 


-- 
Successful builds are performed thusly:
make -DWITHOUT_CLANG buildworld

subversion; an inferior RCS created so Windows users wouldn't feel left out.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d92ea55e46049afb64e080477438253.authenticated>