svn commit: r312271 - in head/security: . openbsm-devel openbsm-devel/files

Ryan Steinmetz zi at FreeBSD.org
Fri Feb 15 03:06:00 UTC 2013 

Author: zi
Date: Fri Feb 15 03:05:58 2013
New Revision: 312271
URL: http://svnweb.freebsd.org/changeset/ports/312271

Log:
  New port: security/openbsm-devel:
  
  OpenBSM is an open source implementation of Sun's Basic Security Module (BSM)
  Audit API and file format. BSM, the de facto industry standard for Audit,
  describes a set of system call and library interfaces for managing audit
  records, as well as a token stream file format that permits extensible and
  generalized audit trail processing. OpenBSM extends the BSM API and file
  format in a number of ways to support features present in the Mac OS X and
  FreeBSD operating systems, such as Mach task interfaces, sendfile(), and
  Linux system calls present in the FreeBSD Linux emulation layer.

Added:
  head/security/openbsm-devel/
     - copied from r312250, head/security/openbsm/
  head/security/openbsm-devel/files/
  head/security/openbsm-devel/files/auditdistd.in   (contents, props changed)
  head/security/openbsm-devel/files/pkg-message.in   (contents, props changed)
Modified:
  head/security/Makefile
  head/security/openbsm-devel/Makefile   (contents, props changed)
  head/security/openbsm-devel/distinfo   (contents, props changed)
  head/security/openbsm-devel/pkg-plist   (contents, props changed)

Modified: head/security/Makefile
==============================================================================
--- head/security/Makefile	Fri Feb 15 02:58:24 2013	(r312270)
+++ head/security/Makefile	Fri Feb 15 03:05:58 2013	(r312271)
@@ -344,6 +344,7 @@
     SUBDIR += oinkmaster
     SUBDIR += op
     SUBDIR += openbsm
+    SUBDIR += openbsm-devel
     SUBDIR += opencdk
     SUBDIR += openconnect
     SUBDIR += opencryptoki

Modified: head/security/openbsm-devel/Makefile
==============================================================================
--- head/security/openbsm/Makefile	Thu Feb 14 23:41:53 2013	(r312250)
+++ head/security/openbsm-devel/Makefile	Fri Feb 15 03:05:58 2013	(r312271)
@@ -1,55 +1,58 @@
-# New ports collection makefile for:	openbsm
-# Date created:				Jun 13 2006
-# Whom:					Florent Thoumie <flz at FreeBSD.org>
-#
+# Created by: Ryan Steinmetz <zi at FreeBSD.org>
 # $FreeBSD$
-#
 
 PORTNAME=	openbsm
-DISTVERSION=	1.1-p2
+DISTVERSION=	1.2-alpha3
 CATEGORIES=	security
-MASTER_SITES=	http://www.trustedbsd.org/downloads/
-DISTNAME=	openbsm-${DISTVERSION}
+MASTER_SITES=	http://www.trustedbsd.org/downloads/ \
+    		http://mirrors.rit.edu/zi/
+PKGNAMESUFFIX=	-devel
 EXTRACT_SUFX=	.tgz
 
-MAINTAINER=	flz at FreeBSD.org
+MAINTAINER=	zi at FreeBSD.org
 COMMENT=	Open Source Basic Security Module (BSM) Audit Implementation
 
+LICENSE=	BSD
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+CONFLICTS=	openbsm-1.[0-9]*
+
 GNU_CONFIGURE=	yes
 USE_LDCONFIG=	yes
 
-MAN1=		auditreduce.1		\
-		praudit.1
-MAN2=		audit.2			\
-		auditctl.2		\
-		auditon.2		\
-		getaudit.2		\
-		getauid.2		\
-		setaudit.2		\
+USE_RC_SUBR=	auditdistd
+SUB_FILES=	pkg-message
+PLIST_SUB=	USERS=${USERS} GROUPS=${GROUPS}
+
+USERS=		auditdistd
+GROUPS=		audit
+
+VARAUDIT=	/var/audit
+MAN1=		auditreduce.1 praudit.1
+MAN2=		audit.2	auditctl.2 auditon.2 getaudit.2	getauid.2 setaudit.2 \
 		setauid.2
-MAN3=		au_class.3		\
-		au_control.3		\
-		au_domain.3		\
-		au_errno.3		\
-		au_event.3		\
-		au_fcntl_cmd.3		\
-		au_free_token.3		\
-		au_io.3			\
-		au_mask.3		\
-		au_open.3		\
-		au_socket_type.3	\
-		au_token.3		\
-		au_user.3		\
-		libauditd.3		\
-		libbsm.3
-MAN5=		audit.log.5		\
-		audit_class.5		\
-		audit_control.5		\
-		audit_event.5		\
-		audit_user.5		\
-		audit_warn.5
-MAN8=		auditfilterd.8		\
-		audit.8			\
-		auditd.8
+MAN3=		au_class.3 au_control.3	au_domain.3 au_errno.3 au_event.3 \
+		au_fcntl_cmd.3 au_free_token.3 au_io.3 au_mask.3 au_open.3 \
+		au_socket_type.3 au_token.3 au_user.3 libauditd.3 libbsm.3
+MAN5=		audit.log.5 auditdistd.conf.5 audit_class.5 audit_control.5 \
+		audit_event.5 audit_user.5 audit_warn.5
+MAN8=		auditfilterd.8 audit.8 auditd.8 auditdistd.8
+
+.include <bsd.port.pre.mk>
+
+.if ${OSVERSION} <= 800000
+IGNORE=		requires FreeBSD 8.x or above
+.endif
+
+.if ${OSVERSION} >= 1000000
+IGNORE=		is not needed under FreeBSD 10.x or higher
+.endif
+
+post-install:
+	@${MKDIR} -m 0770 ${VARAUDIT}/dist
+	@${MKDIR} -m 0700 ${VARAUDIT}/remote
+	@${CHOWN} ${USERS}:${GROUPS} ${VARAUDIT}/dist
+	@${CHOWN} ${USERS}:wheel ${VARAUDIT}/remote
+	@${CAT} ${PKGMESSAGE}
 
-.include <bsd.port.mk>
+.include <bsd.port.post.mk>

Modified: head/security/openbsm-devel/distinfo
==============================================================================
--- head/security/openbsm/distinfo	Thu Feb 14 23:41:53 2013	(r312250)
+++ head/security/openbsm-devel/distinfo	Fri Feb 15 03:05:58 2013	(r312271)
@@ -1,2 +1,2 @@
-SHA256 (openbsm-1.1-p2.tgz) = f3385a27d06ebb6a6c78e9ff9295d02129ad05a34b3283a7b35adf9ae8ee9eb3
-SIZE (openbsm-1.1-p2.tgz) = 546453
+SHA256 (openbsm-1.2-alpha3.tgz) = 88c9035e3c436b6ca5d19e9143bbc2c93b4a579da9e52fe10672cce51bd5a74e
+SIZE (openbsm-1.2-alpha3.tgz) = 691013

Added: head/security/openbsm-devel/files/auditdistd.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openbsm-devel/files/auditdistd.in	Fri Feb 15 03:05:58 2013	(r312271)
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: auditdistd
+# REQUIRE: auditd
+# BEFORE:  DAEMON
+# KEYWORD: nojail shutdown
+
+. /etc/rc.subr
+
+name="auditdistd"
+rcvar="${name}_enable"
+pidfile="/var/run/${name}.pid"
+command="%%PREFIX%%/sbin/${name}"
+required_files="/etc/security/${name}.conf"
+extra_commands="reload"
+
+load_rc_config $name
+run_rc_command "$1"

Added: head/security/openbsm-devel/files/pkg-message.in
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openbsm-devel/files/pkg-message.in	Fri Feb 15 03:05:58 2013	(r312271)
@@ -0,0 +1,70 @@
+===============================================================================
+
+Additional configuration is required if you wish to use auditdistd:
+
+On the receiver, perform the following:
+
+1. Generate a certificate:
+# openssl req -x509 -nodes -newkey rsa:4096 -days 1825 -batch \
+	-out /etc/security/auditdistd.cert.pem \
+	-keyout /etc/security/auditdistd.key.pem
+# chmod 0600 /etc/security/auditdistd.key.pem /etc/security/auditdistd.cert.pem
+# chown root:wheel /etc/security/auditdistd.key.pem /etc/security/auditdistd.cert.pem
+
+2. Print out the public key's fingerprint:
+# openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | \
+        awk -F '[ =]' '{printf("%s=%s\n", $1, $3)}'
+SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30...
+
+3. Generate a password used to authenticate both hosts against eachother:
+# dd if=/dev/urandom bs=32 count=1 | openssl base64 | cut -b -32
+YjwbK69H5cEBlhcT+eJpJgJTFn5B2SrG
+
+4. Create /etc/security/auditdistd.conf configuration file: 
+receiver {
+	host "<enter hostname of sender here> {
+		remote "tls://<enter IP of sender here>"
+		password "<enter password generated above here>"
+	}
+}
+
+5. Update permissions on the auditdistd configuration file:
+# chmod 600 /etc/security/auditdistd.conf
+# chown root:wheel /etc/security/auditdistd.conf
+
+6. Add the following to /etc/rc.conf:
+auditdistd_enable="YES"
+
+7. Start auditdistd:
+service auditdistd start
+
+===============================================================================
+
+On the sender, perform the following:
+
+1. Ensure your kernel is compiled with:
+options		AUDIT
+
+2. Add the following to /etc/rc.conf:
+auditd_enable="YES"
+auditd_program="%%PREFIX%%/sbin/auditd"
+auditdistd_enable="YES"
+
+3. Add the following to /etc/security/audit_control:
+dist:on
+
+4. Create /etc/security/auditdistd.conf configuration file:
+sender {
+	host "<enter hostname of receiver here>" {
+	remote "tls://<enter IP of the receiver here>"
+	fingerprint "SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:..."
+	password "<enter password generated above here>"
+	}
+}
+
+4. Start the required daemons:
+service auditd start && service auditdistd start
+
+Additional information regarding auditdistd may be found on the OpenBSM wiki:
+https://wiki.freebsd.org/auditdistd
+===============================================================================

Modified: head/security/openbsm-devel/pkg-plist
==============================================================================
--- head/security/openbsm/pkg-plist	Thu Feb 14 23:41:53 2013	(r312250)
+++ head/security/openbsm-devel/pkg-plist	Fri Feb 15 03:05:58 2013	(r312271)
@@ -24,7 +24,15 @@ lib/libbsm.so
 lib/libbsm.so.0
 sbin/audit
 sbin/auditd
+sbin/auditdistd
 sbin/auditfilterd
 sbin/auditreduce
 sbin/praudit
 @dirrm include/bsm
+ at cwd /
+ at exec mkdir -m 0770 var/audit/dist
+ at exec mkdir -m 0700 var/audit/remote
+ at exec chown %%USERS%%:%%GROUPS var/audit/dist
+ at exec chown %%USERS%%:wheel var/audit/remote
+ at unexec rmdir var/audit/dist 2>/dev/null || true
+ at unexec rmdir var/audit/remote 2>/dev/null || true

More information about the svn-ports-head mailing list