Issues with install guide (new one on the way)
Tom Rhodes
trhodes at FreeBSD.org
Mon Nov 29 22:57:17 GMT 2004
Hey guys,
Read over the install guide, it seems out of date. Comments
on it, before I actually rewrite it, are below.
--
Tom Rhodes
> The pieces for the audit system are spread throughout the TrustedBSD tree.
> This document shows how to install the pieces manually.
This is not a requirement. My build as of today, Wed, Nov 24 shows
that much if not all of the required items build/install during
the normal buildworld/install process.
> In the audit3 source tree, build the kernel as normal for a FreeBSD kernel.
> However, you need to uncomment (or add) the "options AUDIT" line in your
> config file. Then build and install as normal.
Yea, that is still true. :)
> Auditing won't be on by default; it is enabled/disabled via a system call.
> Also, the there is no initial mapping from audit events to audit classes
> in the kernel. The audit daemon handles both of these tasks. So you need
> to compile and install auditd.
A system call, controlled via "sysctl" by any chance or by manually
altering a file. If so, I couldn't find the file. It appears
that auditd is built during buildworld, least from my build log
it is.
> First, you'll need to build and install libbsm. The Makefile in
> lib/libbsm should build be used to build and install it.
Also builds during buildworld.
> The source for auditd is in the contrib/audit_supt/auditd. The
> usr.sbin/auditd/Makefile will build auditd. Install into /usr/sbin/auditd.
Again, built with buildworld.
> There is an 'audit' command that can be used to control auditd. It's source
> is in contrib/audit_supt/audit, and the Makefile is in uusr.sbin/audit/Makefile.
> Install into /usr/sbin/audit.
Yes, builds with buildworld.
> The audit system is configured via files that are installed in /etc/security.
> The sources for these files are in the contrib/bsm/etc/ directory. You can
> manually copy these files to /etc/security, and they must exist BEFORE
> auditd is started. Here's a brief description of the files:
You need to be in the contrib/bsm/etc directory and type
"make first-install" for them to install properly. Perhaps
I can make a change to the Makefile for this or do we have a
purpose?
> 1) audit_class - Contains the definitions of the audit classes
> 2) audit_control - Controls aspects of the audit subsystem, such as
> default audit classes, minimum disk space to leave on the audit log
> volume, etc.
> 3) audit_event - Defines the kernel audit events. These map, mostly,
> to system calls.
> 4) audit_user - The events to audit for individual users. A user name
> does not need to appear in here.
> 5) audit_warn - A shell script that is used by auditd to form warning
> messages.
Good descriptions. I also seen a startup script from apple,
somewhere, that needs modification for FreeBSD's rcNG system.
I'll probably get that one too.
> The audit implementation is modeled after the Sub BSM audit system. In fact,
> the syntax of the above files is the same as in BSM. Therefore, a good
> reference, for now, is the Sun BSM documentation, available at
>
> http://docs.sun.com/doc/806-1789
I'll look at this a little more and perhaps write/rewrite a/the
manual page. :)
>
> Once the above files are installed, start /usr/sbin/auditd as root. auditd
> will log info and warning messages to /var/log/security.
> You can force auditd to rotate the log files by using
> /usr/sbin/audit -n
>
> To kill off auditd, use
> /usr/sbin/audit -t
This looks good. Note that I've added an rcNG script, which
works, but is loud about warnings. I'll fix that soon. :)
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list