Date: Tue, 18 Dec 2012 12:38:11 -0600 From: Bryan Drewery <bryan-lists@shatow.net> To: Robert Watson <rwatson@FreeBSD.org> Cc: stable@FreeBSD.org Subject: Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd) Message-ID: <50D0B813.5030100@shatow.net> In-Reply-To: <alpine.BSF.2.00.1212181516250.99201@fledge.watson.org> References: <alpine.BSF.2.00.1212181516250.99201@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/18/2012 9:18 AM, Robert Watson wrote: > > Dear all: > > Just an FYI that the new distributed audit daemon has been MFC'd to > 9-STABLE. > > As noted in UPDATING, you will need to run "mergemaster -p" before using > installkernel or installworld targets in order to add the new > "auditdistd" system user. This should be part of the regular update > cycle anyway, but after the experience of adding auditdistd in > 10-CURRENT, we've discovered that many people are skipping that step in > the update cycle, so I figured it best to point out here. > > (Technically, only installworld requires the user, but the user-check > guards in the system Makefiles are enforced for both targets.) Have you seen misc/174405? Apparently installkernel is requiring the user as well. The documented process in UPDATING does not mention running mergemaster -p before [install]kernel. > > More details on the daemon below. > > Robert N M Watson > Computer Laboratory > University of Cambridge > > ---------- Forwarded message ---------- > Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT) > From: Robert Watson <rwatson@FreeBSD.org> > To: current@FreeBSD.org > Cc: security@FreeBSD.org > Subject: Distributed audit daemon committed (was: svn commit: r243752 - > in head: > etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin > usr.sbin/auditdistd (fwd)) > > > Dear all: > > I've now committed the build glue required to install the recently > merged Audit Distribution Daemon (auditdistd) contributed by the Pawel > Dawidek, and sponsored by the FreeBSD Foundation. This allows > individual hosts generating audit trails to submit trails to a central > audit server for review and safe keeping. Part of the goal is to ensure > that a host submitting trail data can't later modify the trails. Pawel > uses a variety of useful security- and resilience-related features such > as TLS, Capsicum, etc, in auditdistd. As the recent security incident > in the FreeBSD.org cluster illustrated, having reliable and detailed > audit trails makes a big difference in forensic work, and hopefully this > will allow the FreeBSD Project (and our users) to do that better in the > future. > > Robert N M Watson > Computer Laboratory > University of Cambridge > > ---------- Forwarded message ---------- > Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC) > From: Robert Watson <rwatson@FreeBSD.org> > To: src-committers@freebsd.org, svn-src-all@freebsd.org, > svn-src-head@freebsd.org > Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree > etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd > > Author: rwatson > Date: Sat Dec 1 15:11:46 2012 > New Revision: 243752 > URL: http://svnweb.freebsd.org/changeset/base/243752 > > Log: > Merge a number of changes required to hook up OpenBSM 1.2-alpha2's > auditdistd (distributed audit daemon) to the build: > > - Manual cross references > - Makefile for auditdistd > - rc.d script, rc.conf entrie > - New group and user for auditdistd; associated aliases, etc. > > The audit trail distribution daemon provides reliable, > cryptographically protected (and sandboxed) delivery of audit tails > from live clients to audit server hosts in order to both allow > centralised analysis, and improve resilience in the event of client > compromises: clients are not permitted to change trail contents > after submission. > > Submitted by: pjd > Sponsored by: The FreeBSD Foundation (auditdistd) > > Added: > head/etc/rc.d/auditdistd (contents, props changed) > head/usr.sbin/auditdistd/ > head/usr.sbin/auditdistd/Makefile (contents, props changed) > Modified: > head/etc/defaults/rc.conf > head/etc/ftpusers > head/etc/mail/aliases > head/etc/master.passwd > head/etc/mtree/BSD.var.dist > head/etc/rc.d/Makefile > head/share/man/man4/audit.4 > head/usr.sbin/Makefile > > Modified: head/etc/defaults/rc.conf > ============================================================================== > > --- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012 (r243752) > @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newa > auditd_enable="NO" # Run the audit daemon. > auditd_program="/usr/sbin/auditd" # Path to the audit daemon. > auditd_flags="" # Which options to pass to the audit daemon. > +auditdistd_enable="NO" # Run the audit daemon. > +auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd > daemon. > +auditdistd_flags="" # Which options to pass to the auditdistd daemon. > cron_enable="YES" # Run the periodic job daemon. > cron_program="/usr/sbin/cron" # Which cron executable to run (if > enabled). > cron_dst="YES" # Handle DST transitions intelligently (YES/NO) > > Modified: head/etc/ftpusers > ============================================================================== > > --- head/etc/ftpusers Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/ftpusers Sat Dec 1 15:11:46 2012 (r243752) > @@ -19,6 +19,7 @@ _pflogd > _dhcp > uucp > pop > +auditdistd > www > hast > nobody > > Modified: head/etc/mail/aliases > ============================================================================== > > --- head/etc/mail/aliases Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012 (r243752) > @@ -26,6 +26,7 @@ postmaster: root > # General redirections for pseudo accounts > _dhcp: root > _pflogd: root > +auditdistd: root > bin: root > bind: root > daemon: root > > Modified: head/etc/master.passwd > ============================================================================== > > --- head/etc/master.passwd Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/master.passwd Sat Dec 1 15:11:46 2012 (r243752) > @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user > _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin > uucp:*:66:66::0:0:UUCP > pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico > pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin > +auditdistd:*:78:77::0:0:Auditdistd unprivileged > user:/var/empty:/usr/sbin/nologin > www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin > hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin > nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin > > Modified: head/etc/mtree/BSD.var.dist > ============================================================================== > > --- head/etc/mtree/BSD.var.dist Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/mtree/BSD.var.dist Sat Dec 1 15:11:46 2012 (r243752) > @@ -19,6 +19,10 @@ > /set gname=audit > audit > .. > + dist uname=auditdistd gname=audit mode=0770 > + .. > + remote uname=auditdistd gname=wheel mode=0700 > + .. > /set gname=wheel > backups > .. > > Modified: head/etc/rc.d/Makefile > ============================================================================== > > --- head/etc/rc.d/Makefile Sat Dec 1 13:46:37 2012 (r243751) > +++ head/etc/rc.d/Makefile Sat Dec 1 15:11:46 2012 (r243752) > @@ -19,6 +19,7 @@ FILES= DAEMON \ > atm2 \ > atm3 \ > auditd \ > + auditdistd \ > bgfsck \ > bluetooth \ > bootparams \ > > Added: head/etc/rc.d/auditdistd > ============================================================================== > > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/etc/rc.d/auditdistd Sat Dec 1 15:11:46 2012 (r243752) > @@ -0,0 +1,21 @@ > +#!/bin/sh > +# > +# $FreeBSD$ > +# > + > +# PROVIDE: auditdistd > +# REQUIRE: auditd > +# BEFORE: DAEMON > +# KEYWORD: nojail shutdown > + > +. /etc/rc.subr > + > +name="auditdistd" > +rcvar="${name}_enable" > +pidfile="/var/run/${name}.pid" > +command="/usr/sbin/${name}" > +required_files="/etc/${name}.conf" > +extra_commands="reload" > + > +load_rc_config $name > +run_rc_command "$1" > > Modified: head/share/man/man4/audit.4 > ============================================================================== > > --- head/share/man/man4/audit.4 Sat Dec 1 13:46:37 2012 (r243751) > +++ head/share/man/man4/audit.4 Sat Dec 1 15:11:46 2012 (r243752) > @@ -96,7 +96,8 @@ to track users and events in a fine-grai > .Xr audit_warn 5 , > .Xr rc.conf 5 , > .Xr audit 8 , > -.Xr auditd 8 > +.Xr auditd 8 , > +.Xr auditdistd 8 > .Sh HISTORY > The > .Tn OpenBSM > > Modified: head/usr.sbin/Makefile > ============================================================================== > > --- head/usr.sbin/Makefile Sat Dec 1 13:46:37 2012 (r243751) > +++ head/usr.sbin/Makefile Sat Dec 1 15:11:46 2012 (r243752) > @@ -110,6 +110,9 @@ SUBDIR+= amd > .if ${MK_AUDIT} != "no" > SUBDIR+= audit > SUBDIR+= auditd > +.if ${MK_OPENSSL} != "no" > +SUBDIR+= auditdistd > +.endif > SUBDIR+= auditreduce > SUBDIR+= praudit > .endif > > Added: head/usr.sbin/auditdistd/Makefile > ============================================================================== > > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ head/usr.sbin/auditdistd/Makefile Sat Dec 1 15:11:46 2012 (r243752) > @@ -0,0 +1,32 @@ > +# > +# $FreeBSD$ > +# > + > +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm > +.PATH: ${OPENBSMDIR}/bin/auditdistd > + > +# Addition of auditdistd because otherwise generated parse.c can't find > +# auditdistd.h. This seems like a makefile non-feature. > +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd > + > +NO_WFORMAT= > + > +PROG= auditdistd > +SRCS= auditdistd.c > +SRCS+= parse.y pjdlog.c > +SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c > proto_tls.c > +SRCS+= receiver.c > +SRCS+= sandbox.c sender.c subr.c > +SRCS+= token.l trail.c > +MAN= auditdistd.8 auditdistd.conf.5 > + > +DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL} > +LDADD= -ll -lpthread -lutil > +DPADD+= ${LIBCRYPTO} ${LIBSSL} > +LDADD+= -lcrypto -lssl > + > +YFLAGS+=-v > + > +CLEANFILES=parse.c parse.h parse.output > + > +.include <bsd.prog.mk> > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50D0B813.5030100>