From owner-freebsd-security@FreeBSD.ORG Thu Feb 2 09:56:57 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C4C0E16A420 for ; Thu, 2 Feb 2006 09:56:57 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6250643D49 for ; Thu, 2 Feb 2006 09:56:56 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 53E6F46BC7 for ; Thu, 2 Feb 2006 04:56:46 -0500 (EST) Date: Thu, 2 Feb 2006 09:58:55 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Message-ID: <20060202095819.W87763@fledge.watson.org> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1265902628-1138874335=:87763" Cc: Subject: Re: HEADS UP: Audit integration into CVS in progress, some tree disruption (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2006 09:56:57 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-1265902628-1138874335=:87763 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE FYI, since this is probably of interest to subscribers of this mailing list= =20 also. Robert N M Watson ---------- Forwarded message ---------- Date: Wed, 1 Feb 2006 22:55:40 +0000 (GMT) From: Robert Watson To: Julian Elischer Cc: trustedbsd-audit@TrustedBSD.org, K=F6vesd=E1n G=E1bor , current@freebsd.or= g Subject: Re: HEADS UP: Audit integration into CVS in progress, some tree disruption On Wed, 1 Feb 2006, Julian Elischer wrote: >>> I'll send out follow-up e-mail once the worst is past, along with=20 >>> information on what it all means, and how to try it out (for those not= =20 >>> already on trustedbsd-audit, who have been hearing about this for a whi= le). >>>=20 >> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcoming= =20 >> 6.1? Or only for 6.2 or later? >=20 > is there a website about all this stuff? "What's it for?" I'm sure I promised to answer exactly that question in my followup e-mail o= nce=20 the integration is done. :-) The quick answer is that this is an implementation of security event auditi= ng,=20 as required by the Orange Book C2 and later Common Criteria CAPP security= =20 evaluation/standard. These documents provide specifications for a set of= =20 functional requirements (and assurance requirements) regarding the behavior= of=20 operating systems with respect to security. One of the requirements is the= =20 fine-grained and configurable logging of security-relevant events.=20 Security-relevant turns out to be pretty all-inclusive, as CAPP requires th= e=20 ability to log the results of access control decisions associated with=20 discretionary access control, which means basically all file I/O, including= =20 path lookups. So what is present in our implementation is: - The introduction of a centralized kernel audit event engine, src/sys/security/audit, which includes various system calls, an event qu= eue, kernel worker thread to process the queue, interfaces to capture system = call information, a system call for user applications to submit audit records= , pre-selection mechanism, etc. - OpenBSM, an implementation of the Solaris/OpenSolaris Basic Security Modu= le API and file format for audit trails. This is derived from the BSM audi= t support found in the Apple Mac OS X and Darwin operating systems, althou= gh substantially reworked, cleaned up, and synchronized to recent BSM chang= es in Solaris, such as 64-bit records. - auditd, a daemon for managing audit event logs and the audit subsystem. - Modifications throughout the kernel and in many places in user space to generate audit records. Unlike existing logging and tracing mechanisms, audit has to meet a number = of=20 reliability, security, and functional requirements that basically drove the= =20 implementation of a new logging system rather than adaptation of an existin= g=20 one: - Only authorized processes can read and write to the audit log. - Detailed subject and object information, including file paths, full credential information for processes, etc. - Configurable log granularity by user, subsystem, operation, including the ability to control the logging of non-attributable events. - Audit log reduction tools and pre-selection mechanism. - Reliability requirements relating to maximum record loss in the event of power loss, configurable ability to fail-stop the system when the audit store is filled. - Portable log format based on the de facto industry standard BSM format (u= sed by Solaris, Mac OS X, and a moderate number of intrusion detection tools= , post-mortem tools, etc). The implementation is not yet fully complete, but it's now at the point whe= re=20 more broad exposure and testing would be very helpful. The hope is to have = much=20 of the current implementation merged in the next couple of days, and the=20 remainder over the next couple of weeks. Since I did the intro for this, I should take this opportunity to thank App= le=20 Computer for sponsoring the original development work as part of their Comm= on=20 Criteria CAPP evaluation for Mac OS X, and then releasing the results under= a=20 BSD license (announcement on this to follow), SPARTA for releasing extensio= ns=20 and additional work on the system, not to mention the team of people who ha= ve=20 been involved in porting over, adapting, and substantially enhancing the Da= rwin=20 audit support, including Wayne Salamon (part of the original audit developm= ent=20 team), who has done extensive development work on it, and Tom Rhodes, who h= as=20 written a lot of the new documentation including a new handbook chapter on= =20 configuring audit support. Robert N M Watson _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" --0-1265902628-1138874335=:87763--