Warning: MFC of security event audit support RELENG_6 in the next
2-3 weeks
Robert Watson
rwatson at FreeBSD.org
Wed Aug 16 11:24:15 UTC 2006
Dear 6-STABLE users,
In the next 2-3 weeks, I plan to MFC support for CAPP security eventing
auditing from 7-CURRENT to 6-STABLE. The implementation has been running
quite nicely in -CURRENT for several months. Right now, I'm just waiting on a
confirmation from Sun regarding formal allocation of a BSM header version
number so as to avoid accidental version number conflicts in the future, which
I hope to get this week, as well as a bug fix in the handling of per-pipe
preselection, which Christian Peron is currently working on. The audit
implementation will be considered an experimental feature in 6.2-RELEASE, but
in practice runs quite well, so is ready for more wide-spread deployment.
For those who are unfamiliar with it, security event auditing ("audit") is the
fine-grained logging of system security events, from login events to security
relevant system calls. The result is a secure audit trail, which can be used
for post-mortem analysis, intrusion detection, etc. The FreeBSD
implementation is based on the Mac OS X audit implementation, implemented by
my team at McAfee Research a few years ago, which Apple has kindly donated
under a BSD license. However, it has been substantially enhanced since
forking the Apple code. Additions include infrastructure to support live
intrusion detection (live "audit pipes" with per-pipe preselection facilities
independent of the global trail), 64-bit support, additional cross-platform
portability, endian-independent trail files, and a great number of other
cleanups, including support for FreeBSD's fine-grained SMP architecture.
Both Mac OS X and FreeBSD implement Sun's de facto standard BSM API and audit
trail format (with extensions for FreeBSD and Mac OS X events not present in
Solaris), so many existing monitoring and analysis tools will run "out of the
box", and FreeBSD and Mac OS X can be integrated into existing Sun-based audit
infrastructure without too much work.
While the open source FreeBSD releases have not been evaluated, this
implementation is intended to be compliant with the CAPP standard's audit
requirements. If you are interested in getting FreeBSD evaluated, and have
been waiting on audit support (I know there are several people out there who
have talked to me about this in the past), please let me know, and we can talk
about how this might affect the evaluation of FreeBSD.
Configuring audit requires the addition of "options AUDIT" to your kernel
configuration file, modification of /etc/rc.conf, and any necessary tweaking
of /etc/security/audit* to configure. There are detailed man pages, as well
as a chapter in the FreeBSD Handbook, thanks to Tom Rhodes, explaining audit
and audit configuration at a high level. Feedback on both the documentation
and implementation would be most welcome; please direct this to the
trustedbsd-audit at TrustedBSD.org mailing list. Until the implementation is
upgraded from "experimental", AUDIT will remain disabled in the GENERIC kernel
by default. I hope to compile AUDIT in by default starting around FreeBSD 6.3
or 6.4, but exactly when will depend on the nature of feedback, bug reports,
etc, over the next few months. In its disabled state, some audit code is
present in userland applications, but should not be run by default. We
provide a NO_AUDIT build option to prevent audit support from being compiled
into user space applications at all, which may be appropriate in embedded
environments where space constraints are more of a pressing issue.
The integration process will take around a week, and may result in intermitent
build failures or other unexpected quirks in 6-STABLE. We have planned this
fairly carefully in order to minimize disruption, but with any large set of
source code changes, there is the risk of unexpected consequences. Once the
code base to be merged is finalized, I will post a more specific merge
schedule to the freebsd-stable and trustedbsd-audit mailing lists detailing
how things will go. Once the merge is complete, I will post tutorial
information to various mailing lists for those interested in giving this a
try. You can learn more about Audit by reading the handbook chapter, and
visiting http://www.TrustedBSD.org/audit.html
As an FYI for those interested, we are shipping the user space audit
components as a portable package, OpenBSM, so that BSM-based applications can
be built to process Solaris, FreeBSD, and Mac OS X audit trails on a variety
of platforms, including Linux, older versions of FreeBSD, and other *BSD
systems. OpenBSM is present in the contrib tree in the FreeBSD source tree as
a vendor branch import, and will track the most recent OpenBSM release. You
can learn more about this at http://www.OpenBSM.org/.
Robert N M Watson
Computer Laboratory
University of Cambridge
More information about the trustedbsd-audit
mailing list