Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
On 18 Dec 2012, at 18:38, Bryan Drewery wrote: Just an FYI that the new distributed audit daemon has been MFC'd to 9-STABLE. As noted in UPDATING, you will need to run mergemaster -p before using installkernel or installworld targets in order to add the new auditdistd system user. This should be part of the regular update cycle anyway, but after the experience of adding auditdistd in 10-CURRENT, we've discovered that many people are skipping that step in the update cycle, so I figured it best to point out here. (Technically, only installworld requires the user, but the user-check guards in the system Makefiles are enforced for both targets.) Have you seen misc/174405? Apparently installkernel is requiring the user as well. The documented process in UPDATING does not mention running mergemaster -p before [install]kernel. Hi Bryan: I was not aware of the PR. However, yes, that was the point I was making in my e-mail -- that the Makefile seems to put the user check on installkernel and not just installworld. While I did MFC the change to add the 'auditdistd' user to the requirements list, I didn't originate that change, and agree that it's a false positive. I hadn't originally planned to add an UPDATING entry, or Makefile dependency, as mergemaster -p is part of our standard upgrade procedure before installworld; however, I got a lot of complaints :-). I did also add an explicit URL pointing at the upgrade procedure in the handbook as part of UPDATING as a result. It would be useful if someone would make the necessary changes to the Makefile infrastructure to allow kernel vs. userspace install-time dependencies on users (and groups) separate. Robert ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
I'm guilty of skipping reboots and just running one mergemaster on the end of update... But I update _very_ often. However, I was lucky, because while I was prepared that my usual script will fail (I read UPDATING after all), that was not the case, as luckily I've already had said audit user from earlier update :) So well... If you are skipping steps at least update very frequently to know why it could fail, maybe it will not... But by all means stick to canonical way if updating is something done once for a while, or you are not tracking commits. Else you could not even know what hit you ;) As always, thanks for original work MFC. -- View this message in context: http://freebsd.1045724.n5.nabble.com/MFC-Distributed-audit-daemon-committed-was-svn-commit-r243752-in-head-etc-etc-defaults-etc-mail-etc--tp5770431p5770933.html Sent from the freebsd-stable mailing list archive at Nabble.com. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
On 12/18/12 16:18, Robert Watson wrote: Dear all: Just an FYI that the new distributed audit daemon has been MFC'd to 9-STABLE. Thanks. As noted in UPDATING, you will need to run mergemaster -p before using installkernel or installworld targets in order to add the new auditdistd system user. This should be part of the regular update cycle anyway, but after the experience of adding auditdistd in 10-CURRENT, we've discovered that many people are skipping that step in the update cycle, so I figured it best to point out here. (Technically, only installworld requires the user, but the user-check guards in the system Makefiles are enforced for both targets.) Maybe /usr/src/UPDATING should be updated? The end of /usr/src/UPDATING mentiones mergemaster -p after the installtion of the new kernel and rebooting to single user mode instead of before. This is on 9.1-RELEASE and also in CURRENT. At least the entry in /usr/src/UPDATING on CURRENT for this change 20121201: With the addition of auditdistd(8), a new auditdistd user is now depended on during installworld. mergemaster -p can be used to add the user prior to installworld, as documented in the handbook. should be prior to installkernel then also instead of prior to installworld More details on the daemon below. Robert N M Watson Computer Laboratory University of Cambridge -- Forwarded message -- Date: Sat, 1 Dec 2012 15:15:11 + (GMT) From: Robert Watson rwat...@freebsd.org To: curr...@freebsd.org Cc: secur...@freebsd.org Subject: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge -- Forwarded message -- Date: Sat, 1 Dec 2012 15:11:46 + (UTC) From: Robert Watson rwat...@freebsd.org To: src-committ...@freebsd.org, svn-src-...@freebsd.org, svn-src-h...@freebsd.org Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd Author: rwatson Date: Sat Dec 1 15:11:46 2012 New Revision: 243752 URL: http://svnweb.freebsd.org/changeset/base/243752 Log: Merge a number of changes required to hook up OpenBSM 1.2-alpha2's auditdistd (distributed audit daemon) to the build: - Manual cross references - Makefile for auditdistd - rc.d script, rc.conf entrie - New group and user for auditdistd; associated aliases, etc. The audit trail distribution daemon provides reliable, cryptographically protected (and sandboxed) delivery of audit tails from live clients to audit server hosts in order to both allow centralised analysis, and improve resilience in the event of client compromises: clients are not permitted to change trail contents after submission. Submitted by:pjd Sponsored by:The FreeBSD Foundation (auditdistd) Added: head/etc/rc.d/auditdistd (contents, props changed) head/usr.sbin/auditdistd/ head/usr.sbin/auditdistd/Makefile (contents, props changed) Modified: head/etc/defaults/rc.conf head/etc/ftpusers head/etc/mail/aliases head/etc/master.passwd head/etc/mtree/BSD.var.dist head/etc/rc.d/Makefile head/share/man/man4/audit.4 head/usr.sbin/Makefile Modified: head/etc/defaults/rc.conf == --- head/etc/defaults/rc.confSat Dec 1 13:46:37 2012 (r243751) +++ head/etc/defaults/rc.confSat Dec 1 15:11:46 2012 (r243752) @@ -590,6 +590,9 @@ sendmail_rebuild_aliases=NO# Run newa auditd_enable=NO# Run the audit daemon. auditd_program=/usr/sbin/auditd# Path to the audit daemon. auditd_flags=# Which options to pass to the audit daemon. +auditdistd_enable=NO# Run the audit daemon. +auditdistd_program=/usr/sbin/auditdistd# Path to the auditdistd daemon. +auditdistd_flags=# Which options to pass to the auditdistd daemon. cron_enable=YES# Run the periodic job daemon. cron_program=/usr/sbin/cron# Which cron executable to run (if
Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
On 12/18/12 16:18, Robert Watson wrote: Dear all: Just an FYI that the new distributed audit daemon has been MFC'd to 9-STABLE. Thanks. As noted in UPDATING, you will need to run mergemaster -p before using installkernel or installworld targets in order to add the new auditdistd system user. This should be part of the regular update cycle anyway, but after the experience of adding auditdistd in 10-CURRENT, we've discovered that many people are skipping that step in the update cycle, so I figured it best to point out here. (Technically, only installworld requires the user, but the user-check guards in the system Makefiles are enforced for both targets.) Maybe /usr/src/UPDATING should be updated? The end of /usr/src/UPDATING mentiones mergemaster -p after the installtion of the new kernel and rebooting to single user mode instead of before. This is on 9.1-RELEASE and also in CURRENT. At least the entry in /usr/src/UPDATING on CURRENT for this change 20121201: With the addition of auditdistd(8), a new auditdistd user is now depended on during installworld. mergemaster -p can be used to add the user prior to installworld, as documented in the handbook. should be prior to installkernel then also instead of prior to installworld Greetings, FWIW, I just performed an build(world||kernel) install(world||kernel) yesterday. I used the following: cd /usr/src make buildworld make buildkernel KERNCONF=mykern_name_here make install KERNCONF=mykern_name_here reboot to single user... mount -u / mount -a cd /usr/src mergemaster -p blah,blah,blah... make installworld mergemaster reboot All of the auditdistd bits were merged into my system, and all is well. Isn't that the way Updating lists the correct order? Anyway, that's how I understood it, and just wanted to report that it all worked as expected/anticipated. HTH, and best wishes. --Chris More details on the daemon below. Robert N M Watson Computer Laboratory University of Cambridge -- Forwarded message -- Date: Sat, 1 Dec 2012 15:15:11 + (GMT) From: Robert Watson rwat...@freebsd.org To: curr...@freebsd.org Cc: secur...@freebsd.org Subject: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge -- Forwarded message -- Date: Sat, 1 Dec 2012 15:11:46 + (UTC) From: Robert Watson rwat...@freebsd.org To: src-committ...@freebsd.org, svn-src-...@freebsd.org, svn-src-h...@freebsd.org Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd Author: rwatson Date: Sat Dec 1 15:11:46 2012 New Revision: 243752 URL: http://svnweb.freebsd.org/changeset/base/243752 Log: Merge a number of changes required to hook up OpenBSM 1.2-alpha2's auditdistd (distributed audit daemon) to the build: - Manual cross references - Makefile for auditdistd - rc.d script, rc.conf entrie - New group and user for auditdistd; associated aliases, etc. The audit trail distribution daemon provides reliable, cryptographically protected (and sandboxed) delivery of audit tails from live clients to audit server hosts in order to both allow centralised analysis, and improve resilience in the event of client compromises: clients are not permitted to change trail contents after submission. Submitted by:pjd Sponsored by:The FreeBSD Foundation (auditdistd) Added: head/etc/rc.d/auditdistd (contents, props changed) head/usr.sbin/auditdistd/ head/usr.sbin/auditdistd/Makefile (contents, props changed) Modified: head/etc/defaults/rc.conf head/etc/ftpusers head/etc/mail/aliases head/etc/master.passwd head/etc/mtree/BSD.var.dist head/etc/rc.d/Makefile head/share/man/man4/audit.4 head/usr.sbin/Makefile Modified: head/etc/defaults/rc.conf == ---
Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
On 12/18/2012 9:18 AM, Robert Watson wrote: Dear all: Just an FYI that the new distributed audit daemon has been MFC'd to 9-STABLE. As noted in UPDATING, you will need to run mergemaster -p before using installkernel or installworld targets in order to add the new auditdistd system user. This should be part of the regular update cycle anyway, but after the experience of adding auditdistd in 10-CURRENT, we've discovered that many people are skipping that step in the update cycle, so I figured it best to point out here. (Technically, only installworld requires the user, but the user-check guards in the system Makefiles are enforced for both targets.) Have you seen misc/174405? Apparently installkernel is requiring the user as well. The documented process in UPDATING does not mention running mergemaster -p before [install]kernel. More details on the daemon below. Robert N M Watson Computer Laboratory University of Cambridge -- Forwarded message -- Date: Sat, 1 Dec 2012 15:15:11 + (GMT) From: Robert Watson rwat...@freebsd.org To: curr...@freebsd.org Cc: secur...@freebsd.org Subject: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge -- Forwarded message -- Date: Sat, 1 Dec 2012 15:11:46 + (UTC) From: Robert Watson rwat...@freebsd.org To: src-committ...@freebsd.org, svn-src-...@freebsd.org, svn-src-h...@freebsd.org Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd Author: rwatson Date: Sat Dec 1 15:11:46 2012 New Revision: 243752 URL: http://svnweb.freebsd.org/changeset/base/243752 Log: Merge a number of changes required to hook up OpenBSM 1.2-alpha2's auditdistd (distributed audit daemon) to the build: - Manual cross references - Makefile for auditdistd - rc.d script, rc.conf entrie - New group and user for auditdistd; associated aliases, etc. The audit trail distribution daemon provides reliable, cryptographically protected (and sandboxed) delivery of audit tails from live clients to audit server hosts in order to both allow centralised analysis, and improve resilience in the event of client compromises: clients are not permitted to change trail contents after submission. Submitted by:pjd Sponsored by:The FreeBSD Foundation (auditdistd) Added: head/etc/rc.d/auditdistd (contents, props changed) head/usr.sbin/auditdistd/ head/usr.sbin/auditdistd/Makefile (contents, props changed) Modified: head/etc/defaults/rc.conf head/etc/ftpusers head/etc/mail/aliases head/etc/master.passwd head/etc/mtree/BSD.var.dist head/etc/rc.d/Makefile head/share/man/man4/audit.4 head/usr.sbin/Makefile Modified: head/etc/defaults/rc.conf == --- head/etc/defaults/rc.confSat Dec 1 13:46:37 2012(r243751) +++ head/etc/defaults/rc.confSat Dec 1 15:11:46 2012(r243752) @@ -590,6 +590,9 @@ sendmail_rebuild_aliases=NO# Run newa auditd_enable=NO# Run the audit daemon. auditd_program=/usr/sbin/auditd# Path to the audit daemon. auditd_flags=# Which options to pass to the audit daemon. +auditdistd_enable=NO# Run the audit daemon. +auditdistd_program=/usr/sbin/auditdistd# Path to the auditdistd daemon. +auditdistd_flags=# Which options to pass to the auditdistd daemon. cron_enable=YES# Run the periodic job daemon. cron_program=/usr/sbin/cron# Which cron executable to run (if enabled). cron_dst=YES# Handle DST transitions intelligently (YES/NO) Modified: head/etc/ftpusers == --- head/etc/ftpusersSat Dec 1 13:46:37 2012(r243751) +++ head/etc/ftpusersSat Dec 1 15:11:46 2012(r243752) @@ -19,6 +19,7 @@ _pflogd _dhcp uucp
Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
On 12/18/12 18:44, Chris H wrote: On 12/18/12 16:18, Robert Watson wrote: Dear all: Just an FYI that the new distributed audit daemon has been MFC'd to 9 20121201: With the addition of auditdistd(8), a new auditdistd user is now depended on during installworld. mergemaster -p can be used to add the user prior to installworld, as documented in the handbook. should be prior to installkernel then also instead of prior to installworld Greetings, FWIW, I just performed an build(world||kernel) install(world||kernel) yesterday. I used the following: cd /usr/src make buildworld make buildkernel KERNCONF=mykern_name_here make install KERNCONF=mykern_name_here Hi I guess you did make installkernel instead of just make install KERNCONF=mykern_name_here ? I did a day ago on a 9.1-RC3: freebsd-update make buildkernel make installkernel Then got prompted that the auditdistd user did not exist so I had to add it prior to installing the kernel. But this was when going from 9.1-RC3 to 9.1-RELEASE So I copied the bits from a CURRENT machine where everything went fine using the standard buildworld, buildkernel, installkernel, mergemaster -p, installworld, mergemaster procedure So that was not the usual way, but just using freebsd-update and installing a custom kernel. On CURRENT it went al well. Never mind and thanks. reboot to single user... mount -u / mount -a cd /usr/src mergemaster -p blah,blah,blah... make installworld mergemaster reboot All of the auditdistd bits were merged into my system, and all is well. Isn't that the way Updating lists the correct order? Yes it is. I did an unusual combination of binary update and then building and installing a custom kernel. Anyway, that's how I understood it, and just wanted to report that it all worked as expected/anticipated. HTH, and best wishes. --Chris ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
Re: MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)
On 12/18/12 18:44, Chris H wrote: On 12/18/12 16:18, Robert Watson wrote: Dear all: Just an FYI that the new distributed audit daemon has been MFC'd to 9 20121201: With the addition of auditdistd(8), a new auditdistd user is now depended on during installworld. mergemaster -p can be used to add the user prior to installworld, as documented in the handbook. should be prior to installkernel then also instead of prior to installworld Greetings, FWIW, I just performed an build(world||kernel) install(world||kernel) yesterday. I used the following: cd /usr/src make buildworld make buildkernel KERNCONF=mykern_name_here make install KERNCONF=mykern_name_here Hi I guess you did make installkernel instead of just make install KERNCONF=mykern_name_here ? D'OH! :P Sorry. That _should_ have read: make installkernel KERNCONF=mykern_name_here ^^ Good catch! I can assure you, I _did_ do it correctly, when actually performing the install. :) FWIW Mine was a fresh install from the 9.0 CD1, then a sync src, ports make build(world||kernel); install(kernel||world). Best wishes. --Chris I did a day ago on a 9.1-RC3: freebsd-update make buildkernel make installkernel Then got prompted that the auditdistd user did not exist so I had to add it prior to installing the kernel. But this was when going from 9.1-RC3 to 9.1-RELEASE So I copied the bits from a CURRENT machine where everything went fine using the standard buildworld, buildkernel, installkernel, mergemaster -p, installworld, mergemaster procedure So that was not the usual way, but just using freebsd-update and installing a custom kernel. On CURRENT it went al well. Never mind and thanks. reboot to single user... mount -u / mount -a cd /usr/src mergemaster -p blah,blah,blah... make installworld mergemaster reboot All of the auditdistd bits were merged into my system, and all is well. Isn't that the way Updating lists the correct order? Yes it is. I did an unusual combination of binary update and then building and installing a custom kernel. Anyway, that's how I understood it, and just wanted to report that it all worked as expected/anticipated. HTH, and best wishes. --Chris ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to freebsd-stable-unsubscr...@freebsd.org
