Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 12/01/12 15:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge Wonderful! Personally I think this is a very worthy addition to the project and I would like to congratulate and thank everyone involved in this work. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On Sun, Dec 02, 2012 at 03:43:22PM +, Robert N. M. Watson wrote: On 2 Dec 2012, at 15:34, Ryan Stone wrote: On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? Yes, that's probably the best short-term bet. In the longer term, it would be nice of installworld could not only generate an mtree on the side rather than directly chmod/chowning the files (Brooks Davis has patches for this), but also use UIDs/GIDs from a user database directly rather than assuming that the host where you are constructing the image has the same notion of users and groups. This is especially important if we want to support cross-building embedded images from Linux, Mac OS X, etc, in the future. One useful feature of NetBSD's install is that we can use passwd and group databases other than the one in /. You would obviously use this when doing an unprivileged install, but you might also want to do it for a privileged install as well which would fix this bootstrapping problem. -- Brooks pgpUbMFTNvAMt.pgp Description: PGP signature
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 12/01/12 22:53, Chris Rees wrote: On 1 Dec 2012 21:51, Andreas Tobler andreast-l...@fgznet.ch wrote: On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Does mergemaster -p help? Chris I had the very same problem and complained about it on current@. mergemaster -p definitely helped for me and I was given the advise to use mergemaster -p prior to every make installworld. Oliver signature.asc Description: OpenPGP digital signature
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On Sun, 2 Dec 2012, O. Hartmann wrote: Does mergemaster -p help? I had the very same problem and complained about it on current@. mergemaster -p definitely helped for me and I was given the advise to use mergemaster -p prior to every make installworld. Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. One of the primary sources of new users and groups has been chroot/etc sandboxes -- independent from the role of a daemon as a file owner. My hope is that this will reduce over time with increasing use Capsicum sandboxes, which don't require custom UIDs/GIDs. However, there are still cases where you want a daemon, for reasons of file and group ownership, to run as a specific user, as is the case with auditdistd, which does support Capsicum (where enabled). Robert ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge Is auditdistd going to be included in the base system as of 10.0-RELEASE or be a port that runs on 10.0-RELEASE and newer? ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 2 Dec 2012, at 14:21, Fbsd8 wrote: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Is auditdistd going to be included in the base system as of 10.0-RELEASE or be a port that runs on 10.0-RELEASE and newer? The plan is that auditdistd will be included in the base operating system for FreeBSD 10.0, and it is now integrated into the development branch that will naturally lead to that outcome; I would like to get it merged to stable/9 for inclusion in a future 9.2 release as well, but that will require a bit more work. I'll plan to let it shake out in 10-CURRENT for at least a few weeks, and let more users report on their experiences, before looking at a merge to 9.x. Robert ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 2 Dec 2012, at 15:34, Ryan Stone wrote: On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? Yes, that's probably the best short-term bet. In the longer term, it would be nice of installworld could not only generate an mtree on the side rather than directly chmod/chowning the files (Brooks Davis has patches for this), but also use UIDs/GIDs from a user database directly rather than assuming that the host where you are constructing the image has the same notion of users and groups. This is especially important if we want to support cross-building embedded images from Linux, Mac OS X, etc, in the future. Robert ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 2 Dec 2012 15:34, Ryan Stone ryst...@gmail.com wrote: On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? You could run mergemaster -p; it doesn't do anything that would hurt your running system; just adds important users etc. Chris ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge -- Forwarded message -- Date: Sat, 1 Dec 2012 15:11:46 + (UTC) From: Robert Watson rwat...@freebsd.org To: src-committ...@freebsd.org, svn-src-...@freebsd.org, svn-src-h...@freebsd.org Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd Author: rwatson Date: Sat Dec 1 15:11:46 2012 New Revision: 243752 URL: http://svnweb.freebsd.org/changeset/base/243752 Log: Merge a number of changes required to hook up OpenBSM 1.2-alpha2's auditdistd (distributed audit daemon) to the build: - Manual cross references - Makefile for auditdistd - rc.d script, rc.conf entrie - New group and user for auditdistd; associated aliases, etc. The audit trail distribution daemon provides reliable, cryptographically protected (and sandboxed) delivery of audit tails from live clients to audit server hosts in order to both allow centralised analysis, and improve resilience in the event of client compromises: clients are not permitted to change trail contents after submission. Submitted by: pjd Sponsored by: The FreeBSD Foundation (auditdistd) Added: head/etc/rc.d/auditdistd (contents, props changed) head/usr.sbin/auditdistd/ head/usr.sbin/auditdistd/Makefile (contents, props changed) Modified: head/etc/defaults/rc.conf head/etc/ftpusers head/etc/mail/aliases head/etc/master.passwd head/etc/mtree/BSD.var.dist head/etc/rc.d/Makefile head/share/man/man4/audit.4 head/usr.sbin/Makefile Modified: head/etc/defaults/rc.conf == --- head/etc/defaults/rc.conf Sat Dec 1 13:46:37 2012(r243751) +++ head/etc/defaults/rc.conf Sat Dec 1 15:11:46 2012(r243752) @@ -590,6 +590,9 @@ sendmail_rebuild_aliases=NO # Run newa auditd_enable=NO # Run the audit daemon. auditd_program=/usr/sbin/auditd# Path to the audit daemon. auditd_flags= # Which options to pass to the audit daemon. +auditdistd_enable=NO # Run the audit daemon. +auditdistd_program=/usr/sbin/auditdistd# Path to the auditdistd daemon. +auditdistd_flags= # Which options to pass to the auditdistd daemon. cron_enable=YES# Run the periodic job daemon. cron_program=/usr/sbin/cron# Which cron executable to run (if enabled). cron_dst=YES # Handle DST transitions intelligently (YES/NO) Modified: head/etc/ftpusers == --- head/etc/ftpusers Sat Dec 1 13:46:37 2012(r243751) +++ head/etc/ftpusers Sat Dec 1 15:11:46 2012(r243752) @@ -19,6 +19,7 @@ _pflogd _dhcp uucp pop +auditdistd www hast nobody Modified: head/etc/mail/aliases == --- head/etc/mail/aliases Sat Dec 1 13:46:37 2012(r243751) +++ head/etc/mail/aliases Sat Dec 1 15:11:46 2012(r243752) @@ -26,6 +26,7 @@ postmaster: root # General redirections for pseudo accounts _dhcp: root _pflogd: root +auditdistd:root bin: root bind: root daemon:root Modified: head/etc/master.passwd == --- head/etc/master.passwd Sat Dec 1 13:46:37 2012(r243751) +++ head/etc/master.passwd Sat Dec 1 15:11:46 2012(r243752) @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin +auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin Modified: head/etc/mtree/BSD.var.dist
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Andreas ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 1 Dec 2012 21:51, Andreas Tobler andreast-l...@fgznet.ch wrote: On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Does mergemaster -p help? Chris ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 1 December 2012 21:06, Andreas Tobler andreast-l...@fgznet.ch wrote: On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Did you remember mergemaster -p before installworld? -- Simon L. B. Nielsen ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
