Issues with install guide (new one on the way)

Mon Nov 29 22:57:17 GMT 2004

Hey guys,

Read over the install guide, it seems out of date.  Comments
on it, before I actually rewrite it, are below.

-- 
Tom Rhodes

> The pieces for the audit system are spread throughout the TrustedBSD tree.
> This document shows how to install the pieces manually. 

This is not a requirement.  My build as of today, Wed, Nov 24 shows
that much if not all of the required items build/install during
the normal buildworld/install process.

> In the audit3 source tree, build the kernel as normal for a FreeBSD kernel.
> However, you need to uncomment (or add) the "options AUDIT" line in your
> config file. Then build and install as normal.

Yea, that is still true.  :)

> Auditing won't be on by default; it is enabled/disabled via a system call.
> Also, the there is no initial mapping from audit events to audit classes
> in the kernel. The audit daemon handles both of these tasks. So you need
> to compile and install auditd. 

A system call, controlled via "sysctl" by any chance or by manually
altering a file.  If so, I couldn't find the file.  It appears
that auditd is built during buildworld, least from my build log
it is.

> First, you'll need to build and install libbsm. The Makefile in 
> lib/libbsm should build be used to build and install it.

Also builds during buildworld.

> The source for auditd is in the contrib/audit_supt/auditd. The 
> usr.sbin/auditd/Makefile will build auditd.  Install into /usr/sbin/auditd.

Again, built with buildworld.

> There is an 'audit' command that can be used to control auditd. It's source
> is in contrib/audit_supt/audit, and the Makefile is in uusr.sbin/audit/Makefile.
> Install into /usr/sbin/audit.

Yes, builds with buildworld.

> The audit system is configured via files that are installed in /etc/security.
> The sources for these files are in the contrib/bsm/etc/ directory. You can
> manually copy these files to /etc/security, and they must exist BEFORE 
> auditd is started. Here's a brief description of the files:

You need to be in the contrib/bsm/etc directory and type
"make first-install" for them to install properly.  Perhaps
I can make a change to the Makefile for this or do we have a
purpose?

>	1) audit_class - Contains the definitions of the audit classes
>	2) audit_control - Controls aspects of the audit subsystem, such as 
>	   default audit classes, minimum disk space to leave on the audit log
>	   volume, etc. 
>	3) audit_event - Defines the kernel audit events. These map, mostly,
>	   to system calls.
>	4) audit_user - The events to audit for individual users. A user name
>	   does not need to appear in here.
>	5) audit_warn - A shell script that is used by auditd to form warning
>	   messages.

Good descriptions.  I also seen a startup script from apple,
somewhere, that needs modification for FreeBSD's rcNG system.
I'll probably get that one too.

> The audit implementation is modeled after the Sub BSM audit system. In fact,
> the syntax of the above files is the same as in BSM. Therefore, a good 
> reference, for now, is the Sun BSM documentation, available at
>
>	http://docs.sun.com/doc/806-1789

I'll look at this a little more and perhaps write/rewrite a/the
manual page.  :)

>
> Once the above files are installed, start /usr/sbin/auditd as root. auditd
> will log info and warning messages to /var/log/security.

> You can force auditd to rotate the log files by using
>	/usr/sbin/audit -n
>
> To kill off auditd, use
>	/usr/sbin/audit -t

This looks good.  Note that I've added an rcNG script, which
works, but is loud about warnings.  I'll fix that soon.  :)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message