Date: Wed, 1 Feb 2006 22:32:41 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= <gabor.kovesdan@t-hosting.hu> Cc: trustedbsd-audit@TrustedBSD.org, current@FreeBSD.org Subject: Re: HEADS UP: Audit integration into CVS in progress, some tree disruption Message-ID: <20060201222704.G87763@fledge.watson.org> In-Reply-To: <43E134AB.8000600@t-hosting.hu> References: <20060201221213.L87763@fledge.watson.org> <43E134AB.8000600@t-hosting.hu>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--0-1804086051-1138833161=:87763
Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
On Wed, 1 Feb 2006, K=F6vesd=E1n G=E1bor wrote:
> Robert Watson wrote:
>
>> As Wayne and I are in the process of merging the TrustedBSD audit3 branc=
h=20
>> contents into the FreeBSD CVS HEAD (7-CURRENT), there may be periods whe=
re=20
>> the tree is (hopefully briefly) unbuildable. This integration process w=
ill=20
>> take a couple of days to complete, due to the scope of the changes. So=
=20
>> far, the kernel audit framework has been committed=20
>> (src/sys/security/audit), as has an initial vendor import of OpenBSM for=
=20
>> user space (src/contrib/openbsm). What remains to be committed are the=
=20
>> substantial changes to gather audit data in system calls, the mappings o=
f=20
>> system calls to audit events, and integration into the user space build =
and=20
>> user space applications (such as login). These bits are the trickier bi=
ts=20
>> as the patches are large and touch a lot of parts of the tree.
>>=20
>> I'll send out follow-up e-mail once the worst is past, along with=20
>> information on what it all means, and how to try it out (for those not=
=20
>> already on trustedbsd-audit, who have been hearing about this for a whil=
e).
>>=20
> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcoming=
=20
> 6.1? Or only for 6.2 or later?
It depends a bit how well this shakes out. The code is definitely still=20
"experimental", in that the set of events audited is not yet complete. The=
re=20
are three general sorts of weaknesses in the set of events currently audite=
d:
(1) Our auditing of system calls in compatibility APIs, such as Linux, is n=
ot
yet complete. A lot of this simply consists of completing the mapping=
of
non-FreeBSD system calls to BSM audit event identifiers. In other cas=
es,
we need to add new events or additional argument gathering. For examp=
le,
the Linux compatibility support includes some Linux-specific system ca=
lls
that do not appear in Darwin, FreeBSD, or Solaris, and will require
specific new event types to be assigned and arguments to be gathered.
(2) Argument gathering for FreeBSD system calls is not complete. A moderat=
e
number of new system calls have been added since we began work on the
audit code, including support for POSIX message queues and a new mount
mechanism. In addition, some current system calls are not fully audite=
d --
for example, ACL-related operations.
(3) Not all user space commands requiring audit support have been modified =
to
perform CAPP-required auditing. For example, sshd doesn't currently h=
ave
its audit support hooked up (although the support in it for Solaris an=
d
Darwin BSM should work on FreeBSD). Things like lpr, adduser, and so =
on
require additional audit support.
Finally, lots of testing is required.
With all this in mind, it is not yet ruled out that we could ship initial=
=20
"experimental" audit support in 6.1-RELEASE. In fact, the timing is curren=
tly=20
such that it will be possible, assuming all goes well, and allowing for the=
=20
fact that it really will be an experimental feature and not production feat=
ure=20
in 6.1. We were quite careful to merge the necessary ABI changes to RELENG=
_6=20
before the 6.0 release so that merging it would be possible without breakin=
g=20
existing 6.x device drivers.
Help in continuing development and testing would be most welcome! We'll se=
nd=20
out e-mail with details regarding configuring the audit support (etc) once =
the=20
merge is a bit further along.
Thanks,
Robert N M Watson
--0-1804086051-1138833161=:87763--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060201222704.G87763>