Dear 6-STABLE users,
In the next 2-3 weeks, I plan to MFC support for CAPP security eventing auditing from 7-CURRENT to 6-STABLE. The implementation has been running quite nicely in -CURRENT for several months. Right now, I'm just waiting on a confirmation from Sun regarding formal allocation of a BSM header version number so as to avoid accidental version number conflicts in the future, which I hope to get this week, as well as a bug fix in the handling of per-pipe preselection, which Christian Peron is currently working on. The audit implementation will be considered an experimental feature in 6.2-RELEASE, but in practice runs quite well, so is ready for more wide-spread deployment.
For those who are unfamiliar with it, security event auditing ("audit") is the fine-grained logging of system security events, from login events to security relevant system calls. The result is a secure audit trail, which can be used for post-mortem analysis, intrusion detection, etc. The FreeBSD implementation is based on the Mac OS X audit implementation, implemented by my team at McAfee Research a few years ago, which Apple has kindly donated under a BSD license. However, it has been substantially enhanced since forking the Apple code. Additions include infrastructure to support live intrusion detection (live "audit pipes" with per-pipe preselection facilities independent of the global trail), 64-bit support, additional cross-platform portability, endian-independent trail files, and a great number of other cleanups, including support for FreeBSD's fine-grained SMP architecture. Both Mac OS X and FreeBSD implement Sun's de facto standard BSM API and audit trail format (with extensions for FreeBSD and Mac OS X events not present in Solaris), so many existing monitoring and analysis tools will run "out of the box", and FreeBSD and Mac OS X can be integrated into existing Sun-based audit infrastructure without too much work.
While the open source FreeBSD releases have not been evaluated, this implementation is intended to be compliant with the CAPP standard's audit requirements. If you are interested in getting FreeBSD evaluated, and have been waiting on audit support (I know there are several people out there who have talked to me about this in the past), please let me know, and we can talk about how this might affect the evaluation of FreeBSD.
Configuring audit requires the addition of "options AUDIT" to your kernel configuration file, modification of /etc/rc.conf, and any necessary tweaking of /etc/security/audit* to configure. There are detailed man pages, as well as a chapter in the FreeBSD Handbook, thanks to Tom Rhodes, explaining audit and audit configuration at a high level. Feedback on both the documentation and implementation would be most welcome; please direct this to the [EMAIL PROTECTED] mailing list. Until the implementation is upgraded from "experimental", AUDIT will remain disabled in the GENERIC kernel by default. I hope to compile AUDIT in by default starting around FreeBSD 6.3 or 6.4, but exactly when will depend on the nature of feedback, bug reports, etc, over the next few months. In its disabled state, some audit code is present in userland applications, but should not be run by default. We provide a NO_AUDIT build option to prevent audit support from being compiled into user space applications at all, which may be appropriate in embedded environments where space constraints are more of a pressing issue.
The integration process will take around a week, and may result in intermitent build failures or other unexpected quirks in 6-STABLE. We have planned this fairly carefully in order to minimize disruption, but with any large set of source code changes, there is the risk of unexpected consequences. Once the code base to be merged is finalized, I will post a more specific merge schedule to the freebsd-stable and trustedbsd-audit mailing lists detailing how things will go. Once the merge is complete, I will post tutorial information to various mailing lists for those interested in giving this a try. You can learn more about Audit by reading the handbook chapter, and visiting http://www.TrustedBSD.org/audit.html
As an FYI for those interested, we are shipping the user space audit components as a portable package, OpenBSM, so that BSM-based applications can be built to process Solaris, FreeBSD, and Mac OS X audit trails on a variety of platforms, including Linux, older versions of FreeBSD, and other *BSD systems. OpenBSM is present in the contrib tree in the FreeBSD source tree as a vendor branch import, and will track the most recent OpenBSM release. You can learn more about this at http://www.OpenBSM.org/.
Robert N M Watson Computer Laboratory University of Cambridge _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
