Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)

[Bas Smeelen]

On 12/18/12 16:18, Robert Watson wrote:

Dear all:

Just an FYI that the new distributed audit daemon has been MFC'd to 
9-STABLE.

Thanks.


As noted in UPDATING, you will need to run "mergemaster -p" before 
using installkernel or installworld targets in order to add the new 
"auditdistd" system user.  This should be part of the regular update 
cycle anyway, but after the experience of adding auditdistd in 
10-CURRENT, we've discovered that many people are skipping that step 
in the update cycle, so I figured it best to point out here.

(Technically, only installworld requires the user, but the user-check 
guards in the system Makefiles are enforced for both targets.)

Maybe /usr/src/UPDATING should be updated?
The end of /usr/src/UPDATING mentiones mergemaster -p after the 
installtion of the new kernel and rebooting to single user mode instead 
of before. This is on 9.1-RELEASE and also in CURRENT.

At least the entry in /usr/src/UPDATING on CURRENT for this change

20121201:
        With the addition of auditdistd(8), a new auditdistd user is now
        depended on during installworld.  "mergemaster -p" can be used 
to add
        the user prior to installworld, as documented in the handbook.

should be "prior to installkernel" then also instead of "prior to 
installworld"



More details on the daemon below.

Robert N M Watson
Computer Laboratory
University of Cambridge

---------- Forwarded message ----------
Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
From: Robert Watson <rwat...@freebsd.org>
To: curr...@freebsd.org
Cc: secur...@freebsd.org
Subject: Distributed audit daemon committed (was: svn commit: r243752 
- in head:
     etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
    usr.sbin/auditdistd (fwd))


Dear all:

I've now committed the build glue required to install the recently 
merged Audit Distribution Daemon (auditdistd) contributed by the Pawel 
Dawidek, and sponsored by the FreeBSD Foundation.  This allows 
individual hosts generating audit trails to submit trails to a central 
audit server for review and safe keeping.  Part of the goal is to 
ensure that a host submitting trail data can't later modify the 
trails.  Pawel uses a variety of useful security- and 
resilience-related features such as TLS, Capsicum, etc, in 
auditdistd.  As the recent security incident in the FreeBSD.org 
cluster illustrated, having reliable and detailed audit trails makes a 
big difference in forensic work, and hopefully this will allow the 
FreeBSD Project (and our users) to do that better in the future.

Robert N M Watson
Computer Laboratory
University of Cambridge

---------- Forwarded message ----------
Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
From: Robert Watson <rwat...@freebsd.org>
To: src-committ...@freebsd.org, svn-src-...@freebsd.org,
    svn-src-h...@freebsd.org
Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail 
etc/mtree
    etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd

Author: rwatson
Date: Sat Dec  1 15:11:46 2012
New Revision: 243752
URL: http://svnweb.freebsd.org/changeset/base/243752

Log:
  Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
  auditdistd (distributed audit daemon) to the build:

  - Manual cross references
  - Makefile for auditdistd
  - rc.d script, rc.conf entrie
  - New group and user for auditdistd; associated aliases, etc.

  The audit trail distribution daemon provides reliable,
  cryptographically protected (and sandboxed) delivery of audit tails
  from live clients to audit server hosts in order to both allow
  centralised analysis, and improve resilience in the event of client
  compromises: clients are not permitted to change trail contents
  after submission.

  Submitted by:    pjd
  Sponsored by:    The FreeBSD Foundation (auditdistd)

Added:
  head/etc/rc.d/auditdistd   (contents, props changed)
  head/usr.sbin/auditdistd/
  head/usr.sbin/auditdistd/Makefile   (contents, props changed)
Modified:
  head/etc/defaults/rc.conf
  head/etc/ftpusers
  head/etc/mail/aliases
  head/etc/master.passwd
  head/etc/mtree/BSD.var.dist
  head/etc/rc.d/Makefile
  head/share/man/man4/audit.4
  head/usr.sbin/Makefile

Modified: head/etc/defaults/rc.conf
============================================================================== 

--- head/etc/defaults/rc.conf    Sat Dec  1 13:46:37 2012 (r243751)
+++ head/etc/defaults/rc.conf    Sat Dec  1 15:11:46 2012 (r243752)
@@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO"    # Run newa
 auditd_enable="NO"    # Run the audit daemon.
 auditd_program="/usr/sbin/auditd"    # Path to the audit daemon.
 auditd_flags=""        # Which options to pass to the audit daemon.
+auditdistd_enable="NO"    # Run the audit daemon.
+auditdistd_program="/usr/sbin/auditdistd"    # Path to the auditdistd 
daemon.
+auditdistd_flags=""    # Which options to pass to the auditdistd daemon.
 cron_enable="YES"    # Run the periodic job daemon.
 cron_program="/usr/sbin/cron"    # Which cron executable to run (if 
enabled).
 cron_dst="YES"        # Handle DST transitions intelligently (YES/NO)

Modified: head/etc/ftpusers
============================================================================== 

--- head/etc/ftpusers    Sat Dec  1 13:46:37 2012    (r243751)
+++ head/etc/ftpusers    Sat Dec  1 15:11:46 2012    (r243752)
@@ -19,6 +19,7 @@ _pflogd
 _dhcp
 uucp
 pop
+auditdistd
 www
 hast
 nobody

Modified: head/etc/mail/aliases
============================================================================== 

--- head/etc/mail/aliases    Sat Dec  1 13:46:37 2012    (r243751)
+++ head/etc/mail/aliases    Sat Dec  1 15:11:46 2012    (r243752)
@@ -26,6 +26,7 @@ postmaster: root
 # General redirections for pseudo accounts
 _dhcp:    root
 _pflogd: root
+auditdistd:    root
 bin:    root
 bind:    root
 daemon:    root

Modified: head/etc/master.passwd
============================================================================== 

--- head/etc/master.passwd    Sat Dec  1 13:46:37 2012 (r243751)
+++ head/etc/master.passwd    Sat Dec  1 15:11:46 2012 (r243752)
@@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
 _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
 uucp:*:66:66::0:0:UUCP 
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
 pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
+auditdistd:*:78:77::0:0:Auditdistd unprivileged 
user:/var/empty:/usr/sbin/nologin
 www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
 hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged 
user:/nonexistent:/usr/sbin/nologin

Modified: head/etc/mtree/BSD.var.dist
============================================================================== 

--- head/etc/mtree/BSD.var.dist    Sat Dec  1 13:46:37 2012 (r243751)
+++ head/etc/mtree/BSD.var.dist    Sat Dec  1 15:11:46 2012 (r243752)
@@ -19,6 +19,10 @@
 /set gname=audit
     audit
     ..
+        dist            uname=auditdistd gname=audit mode=0770
+        ..
+        remote          uname=auditdistd gname=wheel mode=0700
+        ..
 /set gname=wheel
     backups
     ..

Modified: head/etc/rc.d/Makefile
============================================================================== 

--- head/etc/rc.d/Makefile    Sat Dec  1 13:46:37 2012 (r243751)
+++ head/etc/rc.d/Makefile    Sat Dec  1 15:11:46 2012 (r243752)
@@ -19,6 +19,7 @@ FILES=    DAEMON \
     atm2 \
     atm3 \
     auditd \
+    auditdistd \
     bgfsck \
     bluetooth \
     bootparams \

Added: head/etc/rc.d/auditdistd
============================================================================== 

--- /dev/null    00:00:00 1970    (empty, because file is newly added)
+++ head/etc/rc.d/auditdistd    Sat Dec  1 15:11:46 2012 (r243752)
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: auditdistd
+# REQUIRE: auditd
+# BEFORE:  DAEMON
+# KEYWORD: nojail shutdown
+
+. /etc/rc.subr
+
+name="auditdistd"
+rcvar="${name}_enable"
+pidfile="/var/run/${name}.pid"
+command="/usr/sbin/${name}"
+required_files="/etc/${name}.conf"
+extra_commands="reload"
+
+load_rc_config $name
+run_rc_command "$1"

Modified: head/share/man/man4/audit.4
============================================================================== 

--- head/share/man/man4/audit.4    Sat Dec  1 13:46:37 2012 (r243751)
+++ head/share/man/man4/audit.4    Sat Dec  1 15:11:46 2012 (r243752)
@@ -96,7 +96,8 @@ to track users and events in a fine-grai
 .Xr audit_warn 5 ,
 .Xr rc.conf 5 ,
 .Xr audit 8 ,
-.Xr auditd 8
+.Xr auditd 8 ,
+.Xr auditdistd 8
 .Sh HISTORY
 The
 .Tn OpenBSM

Modified: head/usr.sbin/Makefile
============================================================================== 

--- head/usr.sbin/Makefile    Sat Dec  1 13:46:37 2012 (r243751)
+++ head/usr.sbin/Makefile    Sat Dec  1 15:11:46 2012 (r243752)
@@ -110,6 +110,9 @@ SUBDIR+=    amd
 .if ${MK_AUDIT} != "no"
 SUBDIR+=    audit
 SUBDIR+=    auditd
+.if ${MK_OPENSSL} != "no"
+SUBDIR+=    auditdistd
+.endif
 SUBDIR+=    auditreduce
 SUBDIR+=    praudit
 .endif

Added: head/usr.sbin/auditdistd/Makefile
============================================================================== 

--- /dev/null    00:00:00 1970    (empty, because file is newly added)
+++ head/usr.sbin/auditdistd/Makefile    Sat Dec  1 15:11:46 2012 
(r243752)
@@ -0,0 +1,32 @@
+#
+# $FreeBSD$
+#
+
+OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
+.PATH: ${OPENBSMDIR}/bin/auditdistd
+
+# Addition of auditdistd because otherwise generated parse.c can't find
+# auditdistd.h.  This seems like a makefile non-feature.
+CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
+
+NO_WFORMAT=
+
+PROG=    auditdistd
+SRCS=    auditdistd.c
+SRCS+=    parse.y pjdlog.c
+SRCS+=    proto.c proto_common.c proto_socketpair.c proto_tcp.c 
proto_tls.c
+SRCS+=    receiver.c
+SRCS+=    sandbox.c sender.c subr.c
+SRCS+=    token.l trail.c
+MAN=    auditdistd.8 auditdistd.conf.5
+
+DPADD=    ${LIBL} ${LIBPTHREAD} ${LIBUTIL}
+LDADD=    -ll -lpthread -lutil
+DPADD+=    ${LIBCRYPTO} ${LIBSSL}
+LDADD+=    -lcrypto -lssl
+
+YFLAGS+=-v
+
+CLEANFILES=parse.c parse.h parse.output
+
+.include <bsd.prog.mk>


_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"