Date: Thu, 2 Feb 2006 09:58:55 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: freebsd-security@FreeBSD.org Subject: Re: HEADS UP: Audit integration into CVS in progress, some tree disruption (fwd) Message-ID: <20060202095819.W87763@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1265902628-1138874335=:87763
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
FYI, since this is probably of interest to subscribers of this mailing list=
=20
also.
Robert N M Watson
---------- Forwarded message ----------
Date: Wed, 1 Feb 2006 22:55:40 +0000 (GMT)
From: Robert Watson <rwatson@FreeBSD.org>
To: Julian Elischer <julian@elischer.org>
Cc: trustedbsd-audit@TrustedBSD.org,
K=F6vesd=E1n G=E1bor <gabor.kovesdan@t-hosting.hu>, current@freebsd.or=
g
Subject: Re: HEADS UP: Audit integration into CVS in progress,
some tree disruption
On Wed, 1 Feb 2006, Julian Elischer wrote:
>>> I'll send out follow-up e-mail once the worst is past, along with=20
>>> information on what it all means, and how to try it out (for those not=
=20
>>> already on trustedbsd-audit, who have been hearing about this for a whi=
le).
>>>=20
>> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcoming=
=20
>> 6.1? Or only for 6.2 or later?
>=20
> is there a website about all this stuff? "What's it for?"
I'm sure I promised to answer exactly that question in my followup e-mail o=
nce=20
the integration is done. :-)
The quick answer is that this is an implementation of security event auditi=
ng,=20
as required by the Orange Book C2 and later Common Criteria CAPP security=
=20
evaluation/standard. These documents provide specifications for a set of=
=20
functional requirements (and assurance requirements) regarding the behavior=
of=20
operating systems with respect to security. One of the requirements is the=
=20
fine-grained and configurable logging of security-relevant events.=20
Security-relevant turns out to be pretty all-inclusive, as CAPP requires th=
e=20
ability to log the results of access control decisions associated with=20
discretionary access control, which means basically all file I/O, including=
=20
path lookups. So what is present in our implementation is:
- The introduction of a centralized kernel audit event engine,
src/sys/security/audit, which includes various system calls, an event qu=
eue,
kernel worker thread to process the queue, interfaces to capture system =
call
information, a system call for user applications to submit audit records=
,
pre-selection mechanism, etc.
- OpenBSM, an implementation of the Solaris/OpenSolaris Basic Security Modu=
le
API and file format for audit trails. This is derived from the BSM audi=
t
support found in the Apple Mac OS X and Darwin operating systems, althou=
gh
substantially reworked, cleaned up, and synchronized to recent BSM chang=
es
in Solaris, such as 64-bit records.
- auditd, a daemon for managing audit event logs and the audit subsystem.
- Modifications throughout the kernel and in many places in user space to
generate audit records.
Unlike existing logging and tracing mechanisms, audit has to meet a number =
of=20
reliability, security, and functional requirements that basically drove the=
=20
implementation of a new logging system rather than adaptation of an existin=
g=20
one:
- Only authorized processes can read and write to the audit log.
- Detailed subject and object information, including file paths, full
credential information for processes, etc.
- Configurable log granularity by user, subsystem, operation, including the
ability to control the logging of non-attributable events.
- Audit log reduction tools and pre-selection mechanism.
- Reliability requirements relating to maximum record loss in the event of
power loss, configurable ability to fail-stop the system when the audit
store is filled.
- Portable log format based on the de facto industry standard BSM format (u=
sed
by Solaris, Mac OS X, and a moderate number of intrusion detection tools=
,
post-mortem tools, etc).
The implementation is not yet fully complete, but it's now at the point whe=
re=20
more broad exposure and testing would be very helpful. The hope is to have =
much=20
of the current implementation merged in the next couple of days, and the=20
remainder over the next couple of weeks.
Since I did the intro for this, I should take this opportunity to thank App=
le=20
Computer for sponsoring the original development work as part of their Comm=
on=20
Criteria CAPP evaluation for Mac OS X, and then releasing the results under=
a=20
BSD license (announcement on this to follow), SPARTA for releasing extensio=
ns=20
and additional work on the system, not to mention the team of people who ha=
ve=20
been involved in porting over, adapting, and substantially enhancing the Da=
rwin=20
audit support, including Wayne Salamon (part of the original audit developm=
ent=20
team), who has done extensive development work on it, and Tom Rhodes, who h=
as=20
written a lot of the new documentation including a new handbook chapter on=
=20
configuring audit support.
Robert N M Watson
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
--0-1265902628-1138874335=:87763--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060202095819.W87763>