SoC: Distributed Audit Daemon project

Martin Englund Martin.Englund at Sun.COM
Fri May 25 09:23:20 UTC 2007 

Hi Alexey!

I think your project would be beneficial to both FreeBSD &  
OpenSolaris. Tomas Zeman is working on a similar thing for  
OpenSolaris, and I think it would be very good if you could use the  
distributed audit daemon to gather audit trails from both operating  
systems!

On May 25, 2007, at 01:22 , Alexey Mikhailov wrote:

> I'm the SoC student who will work on "Distributed Audit Daemon"
> project this summer. It was some discussion between me, my mentor
> Bjoern Zeeb <bz@> and Robert Watson <rwatson@> about design of
> this project. In this message I want to describe preliminary version
> of design we're likely to have. Your criticism and comments are
> very welcome!
>
> Some general theses first.
>
> 1. What this project is about?
>
> The general idea is to make it possible to log auditable events
> to remote hosts by secure network transport. Some basic association
> is daemon that acts as the server which receives BSM messages and
> writes them out to local filesystem. and acts as client which
> send BSM messages out.
>
> My initial proposal on this project can be found here:
>
> http://wiki.freebsd.org/DistributedAuditDaemon
>
> 2. As I said before initial subject of this project was "Distributed
> audit daemon". But after some discussions we had decided that this
> project can be done in more general maner. We can perform distributed
> logging for any user-space app. At this rate we need to get clean
> and general design with good level of abstraction. It seems that
> "Distributed logging daemon" is the good name for this project.
> (I will refer as "dlogd" to it)
>
> Consider this picture ( Yes, I know that my ASCII art sucks :-) )
>
> '----------------`                       '-----------------`
> |                |      '---------`      | Client-specific |
> | User-space app | <==  | API [2] | ==>  |     part of     |
> |     [1]        |      `---------'      |   "dlogd" [3]   |
> `----------------'                       `-----------------'
>                                                 ^^
>                                                 ||
>                                                 ||
>
>                                            (network level) [4]
>
>                                                 ||
>                                                 ||
>                                                 vv
>                                          '-----------------`
>              '===============`           | Server-specific |
>              |  File system  | <======== |    part of      |
>              | hierarchy [6] |           |    "dlogd" [5]  |
>              `==============='           `-----------------'
>
> Now I'll describe processes that will take place according to
> this scheme.
>
> [1] <=> [2]: Shared user-space library will incapsulate API.
> And I really want to keep real API simple. At this moment
> I'm going to have only one function that will mark log file
> as "to deliver" (i.e. dlogd_submit("/var/audit/whatever")).
>
> [2] <=> [3]: IPC will be UNIX domain sockets (PF_LOCAL).
>
> Authentication scheme for this is:
>
>   (1) Authenticate [3] to [2]. This is reasonably authenticated
>   by using a trusted name  for the local socket, such as
>   /var/dlogd/socket.  Only a process authorized to act as the daemon
>   will be able to create the socket.
>
>   (2) Authenticate [2] to [3]. With UNIX domain sockets, a credential
>   can be passed on connection, which we should do.
>
> When [3] receives file name logX, it makes symbolic link (it could
> be hard to preserve deletion but there're some issues with it) from
> logX to /var/dlogd/spool/audit/logX. Every T seconds [3] pushes
> spool out to [4] and logs succesful transactions. We can have some
> policies here, e.g.
>
>   * Transaction fails: if (current_time - log file timestamp) > T_1
>     then remove log file from spool and log it
>
>   * Transaction success: schedule log file removing for T_2 period
>
> [3] <=> [4]: At the network level we're going to use SSL certificates
> for authentication.
>
> [4] <=> [5]: We peform certification-based authentication here. And
> good point is to use administrator-assigned names here based on it.
> (if those corresponds to hostname or IP addresses -- that's fine)
>
> [5] <=> [6]: If authentication went OK we receive log file and log
> it to physical filesystem considering client name that we would get
> at previous step.
>
> Open questions:
>
> 1) Do we need some non-trivial network protocol in [3] <=> [5]
> communication or we can just send log file content preceded by
> size and name? (For example, server can ask client for missing log
> files, or send message that it's alive again after some crash or
> something)
>
> 2) Do we need some non-trivial API that I mentioned in [1] <=> [2]
> step? Non-trivial API could be something like
>
> dlogd_flush("/var/audit");            /* Notify of fresh start. */
> dlogd_created("/var/audit/whatever"); /* Notify of creation. */
> dlogd_submit("/var/audit/whatever");  /* Notify of termination. */
>
> _______________________________________________
> trustedbsd-discuss at FreeBSD.org mailing list
> http://lists.freebsd.org/mailman/listinfo/trustedbsd-discuss
> To unsubscribe, send any mail to "trustedbsd-discuss- 
> unsubscribe at FreeBSD.org"

cheers,
/Martin
-- 
Martin Englund, Java Security Engineer, Java SE, Sun Microsystems Inc.
Email: martin.englund at sun.com Time Zone: GMT+2 PGP: 1024D/AA514677
"The question is not if you are paranoid, it is if you are paranoid  
enough."

More information about the freebsd-hackers mailing list