Auditing support for FreeBSD (v0.1 way-way-way alpha)

Robert Watson robert at cyrus.watson.org
Tue Mar 30 17:01:37 GMT 1999 

Hi there folks,

As I've mentioned in an email or two before, I've been working on an
implementation of the POSIX.1e auditing.  I have a first pass working on a
FreeBSD 4.0 machine, and have put a copy up for download (URL below, and I
suggest reading the rest of the email first).  First, I have to comment
that it is quite far from completion.  Essentially, at this point, it
consists of: 

o Man pages covering pretty much the entire spec (some of the constants
  and event-specific data sections are not typed in yet).  My
  understanding is that redistributing these man pages is acceptable and
  within the bounds of the copyright restrictions; it seems to be fairly
  acceptable practice to include documentation of functions provided with
  a library, even if it implements a POSIX standard.  Also, sections are
  rewritten, etc.

  These man pages include some of my clarifications and comments in the
  `BUGS' section of each man page.  posix_aud is the front page for the
  auditing section.

o Userland library implementing the bulk of the auditing functionality,
  albeit possibly not all that efficiently.  My intent was to implement it
  to figure out what the desired semantics of the draft were, and to
  resolve any conflicts or ambiguities before trying to write an efficient
  implementation :).  A few routines aren't there yet, including the one
  that generates a text representation of an audit record.  I'd like to
  see some discussion of a nice text representation to use.  The routine
  that's there right now is extremely ugly and poorly written, and I
  advise not looking at it. :)

o Kernel code and patches for some simple auditing stuff.  That is, a
  queue for audit records to go to a /dev/audit, routines for bundling up
  a few simple audit records in kernel.  Again, the point here was to make
  sure that the requirements were consistent, and not to make it pretty/
  fast/efficient/etc.  The interface for generating audit records will 
  change in the FreeBSD implementation; however, the "flattened" record
  format I use will probably stay the same.  I'm interested in discussion
  of the best format to ship the records around in; this one seems fairly
  decent.  Only a few simple syscalls are hooked to get a feeling for how
  things work.

o A simple auditd that listens on the device, dumping records to a
  /var/log/audit.log.  Leaving aside the reading from /dev/audit, it uses
  the library routines to manipulate the records.  This would be a great
  place to put IDS code, filtering routines, etc.  Needless to say, none
  are there yet.

The whole thing is built using the FreeBSD make file primitives, so
probably would build on only *BSD machines at this point.  However, the
source code itself should be pretty portable, and I have it under a
two-clause BSD license so it is certainly available should anyone want to
adapt it.  If you do want to use it, I would appreciate any patches,
submissions, etc, under the same license.  Also, if you don't feel like
fixing things, this is not a release for you, as I guarantee bugs. :-)

One thing that still has me unsure how to proceed is the array of strings
datatype.  I have pretty much concluded that the correct solution is a
packed byte array of nul-terminated strings, which requires to user code
to parse it, but allows for fast assembly, and for it to me moved around
as a pile of bytes instead of requiring pointers to be relocated, etc,
which the use of a char *[] would require.

Anyhow, the URL is 
  
  http://www.watson.org/fbsd-hardening/posix1e/audit/

Since this is an early pre-release, I have not linked it from my main
POSIX.1e implementation page, and ask that people not take this as too
formal of a release.  It's really just a "so you know it's there and in
case you want to take a look".

  Robert N Watson 

robert at fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services             http://www.safeport.com/

To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list