HEADS UP: Audit integration into CVS in progress, some tree
disruption
Robert Watson
rwatson at FreeBSD.org
Wed Feb 1 22:32:41 GMT 2006
On Wed, 1 Feb 2006, Kövesdán Gábor wrote:
> Robert Watson wrote:
>
>> As Wayne and I are in the process of merging the TrustedBSD audit3 branch
>> contents into the FreeBSD CVS HEAD (7-CURRENT), there may be periods where
>> the tree is (hopefully briefly) unbuildable. This integration process will
>> take a couple of days to complete, due to the scope of the changes. So
>> far, the kernel audit framework has been committed
>> (src/sys/security/audit), as has an initial vendor import of OpenBSM for
>> user space (src/contrib/openbsm). What remains to be committed are the
>> substantial changes to gather audit data in system calls, the mappings of
>> system calls to audit events, and integration into the user space build and
>> user space applications (such as login). These bits are the trickier bits
>> as the patches are large and touch a lot of parts of the tree.
>>
>> I'll send out follow-up e-mail once the worst is past, along with
>> information on what it all means, and how to try it out (for those not
>> already on trustedbsd-audit, who have been hearing about this for a while).
>>
> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcoming
> 6.1? Or only for 6.2 or later?
It depends a bit how well this shakes out. The code is definitely still
"experimental", in that the set of events audited is not yet complete. There
are three general sorts of weaknesses in the set of events currently audited:
(1) Our auditing of system calls in compatibility APIs, such as Linux, is not
yet complete. A lot of this simply consists of completing the mapping of
non-FreeBSD system calls to BSM audit event identifiers. In other cases,
we need to add new events or additional argument gathering. For example,
the Linux compatibility support includes some Linux-specific system calls
that do not appear in Darwin, FreeBSD, or Solaris, and will require
specific new event types to be assigned and arguments to be gathered.
(2) Argument gathering for FreeBSD system calls is not complete. A moderate
number of new system calls have been added since we began work on the
audit code, including support for POSIX message queues and a new mount
mechanism. In addition, some current system calls are not fully audited --
for example, ACL-related operations.
(3) Not all user space commands requiring audit support have been modified to
perform CAPP-required auditing. For example, sshd doesn't currently have
its audit support hooked up (although the support in it for Solaris and
Darwin BSM should work on FreeBSD). Things like lpr, adduser, and so on
require additional audit support.
Finally, lots of testing is required.
With all this in mind, it is not yet ruled out that we could ship initial
"experimental" audit support in 6.1-RELEASE. In fact, the timing is currently
such that it will be possible, assuming all goes well, and allowing for the
fact that it really will be an experimental feature and not production feature
in 6.1. We were quite careful to merge the necessary ABI changes to RELENG_6
before the 6.0 release so that merging it would be possible without breaking
existing 6.x device drivers.
Help in continuing development and testing would be most welcome! We'll send
out e-mail with details regarding configuring the audit support (etc) once the
merge is a bit further along.
Thanks,
Robert N M Watson
More information about the trustedbsd-audit
mailing list