MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
Chris H
chris# at 1command.com
Tue Dec 18 17:45:01 UTC 2012
> On 12/18/12 16:18, Robert Watson wrote:
>>
>> Dear all:
>>
>> Just an FYI that the new distributed audit daemon has been MFC'd to
>> 9-STABLE.
>
> Thanks.
>
>>
>> As noted in UPDATING, you will need to run "mergemaster -p" before
>> using installkernel or installworld targets in order to add the new
>> "auditdistd" system user. This should be part of the regular update
>> cycle anyway, but after the experience of adding auditdistd in
>> 10-CURRENT, we've discovered that many people are skipping that step
>> in the update cycle, so I figured it best to point out here.
>>
>> (Technically, only installworld requires the user, but the user-check
>> guards in the system Makefiles are enforced for both targets.)
>
> Maybe /usr/src/UPDATING should be updated?
> The end of /usr/src/UPDATING mentiones mergemaster -p after the
> installtion of the new kernel and rebooting to single user mode instead
> of before. This is on 9.1-RELEASE and also in CURRENT.
>
> At least the entry in /usr/src/UPDATING on CURRENT for this change
>
> 20121201:
> With the addition of auditdistd(8), a new auditdistd user is now
> depended on during installworld. "mergemaster -p" can be used
> to add
> the user prior to installworld, as documented in the handbook.
>
> should be "prior to installkernel" then also instead of "prior to
> installworld"
Greetings,
FWIW, I just performed an build(world||kernel) && install(world||kernel) yesterday.
I used the following:
cd /usr/src
make buildworld
make buildkernel KERNCONF=<mykern_name_here>
make install KERNCONF=<mykern_name_here>
reboot to single user...
mount -u /
mount -a
cd /usr/src
mergemaster -p
blah,blah,blah...
make installworld
mergemaster
reboot
All of the auditdistd bits were merged into my system, and all is well.
Isn't that the way Updating lists the "correct" order?
Anyway, that's how I understood it, and just wanted to report that it
all worked as expected/anticipated.
HTH, and best wishes.
--Chris
>
>
>>
>> More details on the daemon below.
>>
>> Robert N M Watson
>> Computer Laboratory
>> University of Cambridge
>>
>> ---------- Forwarded message ----------
>> Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
>> From: Robert Watson <rwatson at FreeBSD.org>
>> To: current at FreeBSD.org
>> Cc: security at FreeBSD.org
>> Subject: Distributed audit daemon committed (was: svn commit: r243752
>> - in head:
>> etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
>> usr.sbin/auditdistd (fwd))
>>
>>
>> Dear all:
>>
>> I've now committed the build glue required to install the recently
>> merged Audit Distribution Daemon (auditdistd) contributed by the Pawel
>> Dawidek, and sponsored by the FreeBSD Foundation. This allows
>> individual hosts generating audit trails to submit trails to a central
>> audit server for review and safe keeping. Part of the goal is to
>> ensure that a host submitting trail data can't later modify the
>> trails. Pawel uses a variety of useful security- and
>> resilience-related features such as TLS, Capsicum, etc, in
>> auditdistd. As the recent security incident in the FreeBSD.org
>> cluster illustrated, having reliable and detailed audit trails makes a
>> big difference in forensic work, and hopefully this will allow the
>> FreeBSD Project (and our users) to do that better in the future.
>>
>> Robert N M Watson
>> Computer Laboratory
>> University of Cambridge
>>
>> ---------- Forwarded message ----------
>> Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
>> From: Robert Watson <rwatson at FreeBSD.org>
>> To: src-committers at freebsd.org, svn-src-all at freebsd.org,
>> svn-src-head at freebsd.org
>> Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail
>> etc/mtree
>> etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd
>>
>> Author: rwatson
>> Date: Sat Dec 1 15:11:46 2012
>> New Revision: 243752
>> URL: http://svnweb.freebsd.org/changeset/base/243752
>>
>> Log:
>> Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
>> auditdistd (distributed audit daemon) to the build:
>>
>> - Manual cross references
>> - Makefile for auditdistd
>> - rc.d script, rc.conf entrie
>> - New group and user for auditdistd; associated aliases, etc.
>>
>> The audit trail distribution daemon provides reliable,
>> cryptographically protected (and sandboxed) delivery of audit tails
>> from live clients to audit server hosts in order to both allow
>> centralised analysis, and improve resilience in the event of client
>> compromises: clients are not permitted to change trail contents
>> after submission.
>>
>> Submitted by: pjd
>> Sponsored by: The FreeBSD Foundation (auditdistd)
>>
>> Added:
>> head/etc/rc.d/auditdistd (contents, props changed)
>> head/usr.sbin/auditdistd/
>> head/usr.sbin/auditdistd/Makefile (contents, props changed)
>> Modified:
>> head/etc/defaults/rc.conf
>> head/etc/ftpusers
>> head/etc/mail/aliases
>> head/etc/master.passwd
>> head/etc/mtree/BSD.var.dist
>> head/etc/rc.d/Makefile
>> head/share/man/man4/audit.4
>> head/usr.sbin/Makefile
>>
>> Modified: head/etc/defaults/rc.conf
>> ==============================================================================
>>
>> --- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newa
>> auditd_enable="NO" # Run the audit daemon.
>> auditd_program="/usr/sbin/auditd" # Path to the audit daemon.
>> auditd_flags="" # Which options to pass to the audit daemon.
>> +auditdistd_enable="NO" # Run the audit daemon.
>> +auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd
>> daemon.
>> +auditdistd_flags="" # Which options to pass to the auditdistd daemon.
>> cron_enable="YES" # Run the periodic job daemon.
>> cron_program="/usr/sbin/cron" # Which cron executable to run (if
>> enabled).
>> cron_dst="YES" # Handle DST transitions intelligently (YES/NO)
>>
>> Modified: head/etc/ftpusers
>> ==============================================================================
>>
>> --- head/etc/ftpusers Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/etc/ftpusers Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -19,6 +19,7 @@ _pflogd
>> _dhcp
>> uucp
>> pop
>> +auditdistd
>> www
>> hast
>> nobody
>>
>> Modified: head/etc/mail/aliases
>> ==============================================================================
>>
>> --- head/etc/mail/aliases Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -26,6 +26,7 @@ postmaster: root
>> # General redirections for pseudo accounts
>> _dhcp: root
>> _pflogd: root
>> +auditdistd: root
>> bin: root
>> bind: root
>> daemon: root
>>
>> Modified: head/etc/master.passwd
>> ==============================================================================
>>
>> --- head/etc/master.passwd Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/etc/master.passwd Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
>> _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
>> uucp:*:66:66::0:0:UUCP
>> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
>> pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
>> +auditdistd:*:78:77::0:0:Auditdistd unprivileged
>> user:/var/empty:/usr/sbin/nologin
>> www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
>> hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
>> nobody:*:65534:65534::0:0:Unprivileged
>> user:/nonexistent:/usr/sbin/nologin
>>
>> Modified: head/etc/mtree/BSD.var.dist
>> ==============================================================================
>>
>> --- head/etc/mtree/BSD.var.dist Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/etc/mtree/BSD.var.dist Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -19,6 +19,10 @@
>> /set gname=audit
>> audit
>> ..
>> + dist uname=auditdistd gname=audit mode=0770
>> + ..
>> + remote uname=auditdistd gname=wheel mode=0700
>> + ..
>> /set gname=wheel
>> backups
>> ..
>>
>> Modified: head/etc/rc.d/Makefile
>> ==============================================================================
>>
>> --- head/etc/rc.d/Makefile Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/etc/rc.d/Makefile Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -19,6 +19,7 @@ FILES= DAEMON \
>> atm2 \
>> atm3 \
>> auditd \
>> + auditdistd \
>> bgfsck \
>> bluetooth \
>> bootparams \
>>
>> Added: head/etc/rc.d/auditdistd
>> ==============================================================================
>>
>> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
>> +++ head/etc/rc.d/auditdistd Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -0,0 +1,21 @@
>> +#!/bin/sh
>> +#
>> +# $FreeBSD$
>> +#
>> +
>> +# PROVIDE: auditdistd
>> +# REQUIRE: auditd
>> +# BEFORE: DAEMON
>> +# KEYWORD: nojail shutdown
>> +
>> +. /etc/rc.subr
>> +
>> +name="auditdistd"
>> +rcvar="${name}_enable"
>> +pidfile="/var/run/${name}.pid"
>> +command="/usr/sbin/${name}"
>> +required_files="/etc/${name}.conf"
>> +extra_commands="reload"
>> +
>> +load_rc_config $name
>> +run_rc_command "$1"
>>
>> Modified: head/share/man/man4/audit.4
>> ==============================================================================
>>
>> --- head/share/man/man4/audit.4 Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/share/man/man4/audit.4 Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -96,7 +96,8 @@ to track users and events in a fine-grai
>> .Xr audit_warn 5 ,
>> .Xr rc.conf 5 ,
>> .Xr audit 8 ,
>> -.Xr auditd 8
>> +.Xr auditd 8 ,
>> +.Xr auditdistd 8
>> .Sh HISTORY
>> The
>> .Tn OpenBSM
>>
>> Modified: head/usr.sbin/Makefile
>> ==============================================================================
>>
>> --- head/usr.sbin/Makefile Sat Dec 1 13:46:37 2012 (r243751)
>> +++ head/usr.sbin/Makefile Sat Dec 1 15:11:46 2012 (r243752)
>> @@ -110,6 +110,9 @@ SUBDIR+= amd
>> .if ${MK_AUDIT} != "no"
>> SUBDIR+= audit
>> SUBDIR+= auditd
>> +.if ${MK_OPENSSL} != "no"
>> +SUBDIR+= auditdistd
>> +.endif
>> SUBDIR+= auditreduce
>> SUBDIR+= praudit
>> .endif
>>
>> Added: head/usr.sbin/auditdistd/Makefile
>> ==============================================================================
>>
>> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
>> +++ head/usr.sbin/auditdistd/Makefile Sat Dec 1 15:11:46 2012
>> (r243752)
>> @@ -0,0 +1,32 @@
>> +#
>> +# $FreeBSD$
>> +#
>> +
>> +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
>> +.PATH: ${OPENBSMDIR}/bin/auditdistd
>> +
>> +# Addition of auditdistd because otherwise generated parse.c can't find
>> +# auditdistd.h. This seems like a makefile non-feature.
>> +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
>> +
>> +NO_WFORMAT=
>> +
>> +PROG= auditdistd
>> +SRCS= auditdistd.c
>> +SRCS+= parse.y pjdlog.c
>> +SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c
>> proto_tls.c
>> +SRCS+= receiver.c
>> +SRCS+= sandbox.c sender.c subr.c
>> +SRCS+= token.l trail.c
>> +MAN= auditdistd.8 auditdistd.conf.5
>> +
>> +DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL}
>> +LDADD= -ll -lpthread -lutil
>> +DPADD+= ${LIBCRYPTO} ${LIBSSL}
>> +LDADD+= -lcrypto -lssl
>> +
>> +YFLAGS+=-v
>> +
>> +CLEANFILES=parse.c parse.h parse.output
>> +
>> +.include <bsd.prog.mk>
>
>
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>
--
--
Successful builds are performed thusly:
make -DWITHOUT_CLANG buildworld
subversion; an inferior RCS created so Windows users wouldn't feel left out.
More information about the freebsd-stable
mailing list