MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
Bryan Drewery
bryan-lists at shatow.net
Tue Dec 18 18:45:36 UTC 2012
On 12/18/2012 9:18 AM, Robert Watson wrote:
>
> Dear all:
>
> Just an FYI that the new distributed audit daemon has been MFC'd to
> 9-STABLE.
>
> As noted in UPDATING, you will need to run "mergemaster -p" before using
> installkernel or installworld targets in order to add the new
> "auditdistd" system user. This should be part of the regular update
> cycle anyway, but after the experience of adding auditdistd in
> 10-CURRENT, we've discovered that many people are skipping that step in
> the update cycle, so I figured it best to point out here.
>
> (Technically, only installworld requires the user, but the user-check
> guards in the system Makefiles are enforced for both targets.)
Have you seen misc/174405? Apparently installkernel is requiring the
user as well. The documented process in UPDATING does not mention
running mergemaster -p before [install]kernel.
>
> More details on the daemon below.
>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
>
> ---------- Forwarded message ----------
> Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
> From: Robert Watson <rwatson at FreeBSD.org>
> To: current at FreeBSD.org
> Cc: security at FreeBSD.org
> Subject: Distributed audit daemon committed (was: svn commit: r243752 -
> in head:
> etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
> usr.sbin/auditdistd (fwd))
>
>
> Dear all:
>
> I've now committed the build glue required to install the recently
> merged Audit Distribution Daemon (auditdistd) contributed by the Pawel
> Dawidek, and sponsored by the FreeBSD Foundation. This allows
> individual hosts generating audit trails to submit trails to a central
> audit server for review and safe keeping. Part of the goal is to ensure
> that a host submitting trail data can't later modify the trails. Pawel
> uses a variety of useful security- and resilience-related features such
> as TLS, Capsicum, etc, in auditdistd. As the recent security incident
> in the FreeBSD.org cluster illustrated, having reliable and detailed
> audit trails makes a big difference in forensic work, and hopefully this
> will allow the FreeBSD Project (and our users) to do that better in the
> future.
>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
>
> ---------- Forwarded message ----------
> Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
> From: Robert Watson <rwatson at FreeBSD.org>
> To: src-committers at freebsd.org, svn-src-all at freebsd.org,
> svn-src-head at freebsd.org
> Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree
> etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd
>
> Author: rwatson
> Date: Sat Dec 1 15:11:46 2012
> New Revision: 243752
> URL: http://svnweb.freebsd.org/changeset/base/243752
>
> Log:
> Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
> auditdistd (distributed audit daemon) to the build:
>
> - Manual cross references
> - Makefile for auditdistd
> - rc.d script, rc.conf entrie
> - New group and user for auditdistd; associated aliases, etc.
>
> The audit trail distribution daemon provides reliable,
> cryptographically protected (and sandboxed) delivery of audit tails
> from live clients to audit server hosts in order to both allow
> centralised analysis, and improve resilience in the event of client
> compromises: clients are not permitted to change trail contents
> after submission.
>
> Submitted by: pjd
> Sponsored by: The FreeBSD Foundation (auditdistd)
>
> Added:
> head/etc/rc.d/auditdistd (contents, props changed)
> head/usr.sbin/auditdistd/
> head/usr.sbin/auditdistd/Makefile (contents, props changed)
> Modified:
> head/etc/defaults/rc.conf
> head/etc/ftpusers
> head/etc/mail/aliases
> head/etc/master.passwd
> head/etc/mtree/BSD.var.dist
> head/etc/rc.d/Makefile
> head/share/man/man4/audit.4
> head/usr.sbin/Makefile
>
> Modified: head/etc/defaults/rc.conf
> ==============================================================================
>
> --- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012 (r243752)
> @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newa
> auditd_enable="NO" # Run the audit daemon.
> auditd_program="/usr/sbin/auditd" # Path to the audit daemon.
> auditd_flags="" # Which options to pass to the audit daemon.
> +auditdistd_enable="NO" # Run the audit daemon.
> +auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd
> daemon.
> +auditdistd_flags="" # Which options to pass to the auditdistd daemon.
> cron_enable="YES" # Run the periodic job daemon.
> cron_program="/usr/sbin/cron" # Which cron executable to run (if
> enabled).
> cron_dst="YES" # Handle DST transitions intelligently (YES/NO)
>
> Modified: head/etc/ftpusers
> ==============================================================================
>
> --- head/etc/ftpusers Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/etc/ftpusers Sat Dec 1 15:11:46 2012 (r243752)
> @@ -19,6 +19,7 @@ _pflogd
> _dhcp
> uucp
> pop
> +auditdistd
> www
> hast
> nobody
>
> Modified: head/etc/mail/aliases
> ==============================================================================
>
> --- head/etc/mail/aliases Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012 (r243752)
> @@ -26,6 +26,7 @@ postmaster: root
> # General redirections for pseudo accounts
> _dhcp: root
> _pflogd: root
> +auditdistd: root
> bin: root
> bind: root
> daemon: root
>
> Modified: head/etc/master.passwd
> ==============================================================================
>
> --- head/etc/master.passwd Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/etc/master.passwd Sat Dec 1 15:11:46 2012 (r243752)
> @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
> _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
> uucp:*:66:66::0:0:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
> +auditdistd:*:78:77::0:0:Auditdistd unprivileged
> user:/var/empty:/usr/sbin/nologin
> www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
> nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
>
> Modified: head/etc/mtree/BSD.var.dist
> ==============================================================================
>
> --- head/etc/mtree/BSD.var.dist Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/etc/mtree/BSD.var.dist Sat Dec 1 15:11:46 2012 (r243752)
> @@ -19,6 +19,10 @@
> /set gname=audit
> audit
> ..
> + dist uname=auditdistd gname=audit mode=0770
> + ..
> + remote uname=auditdistd gname=wheel mode=0700
> + ..
> /set gname=wheel
> backups
> ..
>
> Modified: head/etc/rc.d/Makefile
> ==============================================================================
>
> --- head/etc/rc.d/Makefile Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/etc/rc.d/Makefile Sat Dec 1 15:11:46 2012 (r243752)
> @@ -19,6 +19,7 @@ FILES= DAEMON \
> atm2 \
> atm3 \
> auditd \
> + auditdistd \
> bgfsck \
> bluetooth \
> bootparams \
>
> Added: head/etc/rc.d/auditdistd
> ==============================================================================
>
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ head/etc/rc.d/auditdistd Sat Dec 1 15:11:46 2012 (r243752)
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +#
> +# $FreeBSD$
> +#
> +
> +# PROVIDE: auditdistd
> +# REQUIRE: auditd
> +# BEFORE: DAEMON
> +# KEYWORD: nojail shutdown
> +
> +. /etc/rc.subr
> +
> +name="auditdistd"
> +rcvar="${name}_enable"
> +pidfile="/var/run/${name}.pid"
> +command="/usr/sbin/${name}"
> +required_files="/etc/${name}.conf"
> +extra_commands="reload"
> +
> +load_rc_config $name
> +run_rc_command "$1"
>
> Modified: head/share/man/man4/audit.4
> ==============================================================================
>
> --- head/share/man/man4/audit.4 Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/share/man/man4/audit.4 Sat Dec 1 15:11:46 2012 (r243752)
> @@ -96,7 +96,8 @@ to track users and events in a fine-grai
> .Xr audit_warn 5 ,
> .Xr rc.conf 5 ,
> .Xr audit 8 ,
> -.Xr auditd 8
> +.Xr auditd 8 ,
> +.Xr auditdistd 8
> .Sh HISTORY
> The
> .Tn OpenBSM
>
> Modified: head/usr.sbin/Makefile
> ==============================================================================
>
> --- head/usr.sbin/Makefile Sat Dec 1 13:46:37 2012 (r243751)
> +++ head/usr.sbin/Makefile Sat Dec 1 15:11:46 2012 (r243752)
> @@ -110,6 +110,9 @@ SUBDIR+= amd
> .if ${MK_AUDIT} != "no"
> SUBDIR+= audit
> SUBDIR+= auditd
> +.if ${MK_OPENSSL} != "no"
> +SUBDIR+= auditdistd
> +.endif
> SUBDIR+= auditreduce
> SUBDIR+= praudit
> .endif
>
> Added: head/usr.sbin/auditdistd/Makefile
> ==============================================================================
>
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ head/usr.sbin/auditdistd/Makefile Sat Dec 1 15:11:46 2012 (r243752)
> @@ -0,0 +1,32 @@
> +#
> +# $FreeBSD$
> +#
> +
> +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
> +.PATH: ${OPENBSMDIR}/bin/auditdistd
> +
> +# Addition of auditdistd because otherwise generated parse.c can't find
> +# auditdistd.h. This seems like a makefile non-feature.
> +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
> +
> +NO_WFORMAT=
> +
> +PROG= auditdistd
> +SRCS= auditdistd.c
> +SRCS+= parse.y pjdlog.c
> +SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c
> proto_tls.c
> +SRCS+= receiver.c
> +SRCS+= sandbox.c sender.c subr.c
> +SRCS+= token.l trail.c
> +MAN= auditdistd.8 auditdistd.conf.5
> +
> +DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL}
> +LDADD= -ll -lpthread -lutil
> +DPADD+= ${LIBCRYPTO} ${LIBSSL}
> +LDADD+= -lcrypto -lssl
> +
> +YFLAGS+=-v
> +
> +CLEANFILES=parse.c parse.h parse.output
> +
> +.include <bsd.prog.mk>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-stable
mailing list