Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 12/01/12 15:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge Wonderful! Personally I think this is a very worthy addition to the project and I would like to congratulate and thank everyone involved in this work. ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On Sun, Dec 02, 2012 at 03:43:22PM +, Robert N. M. Watson wrote: On 2 Dec 2012, at 15:34, Ryan Stone wrote: On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? Yes, that's probably the best short-term bet. In the longer term, it would be nice of installworld could not only generate an mtree on the side rather than directly chmod/chowning the files (Brooks Davis has patches for this), but also use UIDs/GIDs from a user database directly rather than assuming that the host where you are constructing the image has the same notion of users and groups. This is especially important if we want to support cross-building embedded images from Linux, Mac OS X, etc, in the future. One useful feature of NetBSD's install is that we can use passwd and group databases other than the one in /. You would obviously use this when doing an unprivileged install, but you might also want to do it for a privileged install as well which would fix this bootstrapping problem. -- Brooks pgpUbMFTNvAMt.pgp Description: PGP signature
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 12/01/12 22:53, Chris Rees wrote: On 1 Dec 2012 21:51, Andreas Tobler andreast-l...@fgznet.ch wrote: On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Does mergemaster -p help? Chris I had the very same problem and complained about it on current@. mergemaster -p definitely helped for me and I was given the advise to use mergemaster -p prior to every make installworld. Oliver signature.asc Description: OpenPGP digital signature
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On Sun, 2 Dec 2012, O. Hartmann wrote: Does mergemaster -p help? I had the very same problem and complained about it on current@. mergemaster -p definitely helped for me and I was given the advise to use mergemaster -p prior to every make installworld. Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. One of the primary sources of new users and groups has been chroot/etc sandboxes -- independent from the role of a daemon as a file owner. My hope is that this will reduce over time with increasing use Capsicum sandboxes, which don't require custom UIDs/GIDs. However, there are still cases where you want a daemon, for reasons of file and group ownership, to run as a specific user, as is the case with auditdistd, which does support Capsicum (where enabled). Robert ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Robert N M Watson Computer Laboratory University of Cambridge Is auditdistd going to be included in the base system as of 10.0-RELEASE or be a port that runs on 10.0-RELEASE and newer? ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 2 Dec 2012, at 14:21, Fbsd8 wrote: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Is auditdistd going to be included in the base system as of 10.0-RELEASE or be a port that runs on 10.0-RELEASE and newer? The plan is that auditdistd will be included in the base operating system for FreeBSD 10.0, and it is now integrated into the development branch that will naturally lead to that outcome; I would like to get it merged to stable/9 for inclusion in a future 9.2 release as well, but that will require a bit more work. I'll plan to let it shake out in 10-CURRENT for at least a few weeks, and let more users report on their experiences, before looking at a merge to 9.x. Robert ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 2 Dec 2012, at 15:34, Ryan Stone wrote: On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? Yes, that's probably the best short-term bet. In the longer term, it would be nice of installworld could not only generate an mtree on the side rather than directly chmod/chowning the files (Brooks Davis has patches for this), but also use UIDs/GIDs from a user database directly rather than assuming that the host where you are constructing the image has the same notion of users and groups. This is especially important if we want to support cross-building embedded images from Linux, Mac OS X, etc, in the future. Robert ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 2 Dec 2012 15:34, Ryan Stone ryst...@gmail.com wrote: On Sun, Dec 2, 2012 at 8:05 AM, Robert Watson rwat...@freebsd.org wrote: Just to follow up on this thread, since the question has come up a number of times. mergemaser -p should be run prior to installworld always, but most of the time will do very little. One of its responsibilities is to add any necessary accounts and groups depended on by base system components -- e.g., that will be referenced during installworld as part of setting file ownership and groups. I often use make installworld installkernel distribution DESTDIR=... to create bootable images (e.g. for a USB stick). What's the recommendation for that case? Manually create the auditdistd user on the build host? You could run mergemaster -p; it doesn't do anything that would hurt your running system; just adds important users etc. Chris ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Andreas ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 1 Dec 2012 21:51, Andreas Tobler andreast-l...@fgznet.ch wrote: On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Does mergemaster -p help? Chris ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
Re: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd))
On 1 December 2012 21:06, Andreas Tobler andreast-l...@fgznet.ch wrote: On 01.12.12 16:15, Robert Watson wrote: Dear all: I've now committed the build glue required to install the recently merged Audit Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and sponsored by the FreeBSD Foundation. This allows individual hosts generating audit trails to submit trails to a central audit server for review and safe keeping. Part of the goal is to ensure that a host submitting trail data can't later modify the trails. Pawel uses a variety of useful security- and resilience-related features such as TLS, Capsicum, etc, in auditdistd. As the recent security incident in the FreeBSD.org cluster illustrated, having reliable and detailed audit trails makes a big difference in forensic work, and hopefully this will allow the FreeBSD Project (and our users) to do that better in the future. Aehm, hope it is ok to 'complain' here. Happens when installing world. cd /export/devel/fbsd/head/src; /usr/obj/export/devel/fbsd/head/src/make.amd64/make -f Makefile.inc1 LOCAL_MTREE= hierarchy cd /export/devel/fbsd/head/src/etc; /usr/obj/export/devel/fbsd/head/src/make.amd64/make distrib-dirs mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.root.dist -p / mtree -eU -f /export/devel/fbsd/head/src/etc/mtree/BSD.var.dist -p /var mtree: line 22: unknown user auditdistd *** [distrib-dirs] Error code 1 Did you remember mergemaster -p before installworld? -- Simon L. B. Nielsen ___ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to freebsd-current-unsubscr...@freebsd.org
