|Robert Watson||Feb 1, 2006 10:15 pm|
|Kövesdán Gábor||Feb 1, 2006 10:22 pm|
|Julian Elischer||Feb 1, 2006 10:32 pm|
|Robert Watson||Feb 1, 2006 10:32 pm|
|Robert Watson||Feb 1, 2006 10:55 pm|
|Mike Jakubik||Feb 2, 2006 12:03 am|
|Robert Watson||Feb 2, 2006 12:35 am|
|Kris Kennaway||Feb 2, 2006 12:40 am|
|Robert Watson||Feb 2, 2006 12:50 am|
|Mike Jakubik||Feb 2, 2006 12:54 am|
|Kris Kennaway||Feb 2, 2006 12:57 am|
|Robert Watson||Feb 2, 2006 1:17 am|
|Tom Rhodes||Feb 2, 2006 2:13 am|
|Mike Jakubik||Feb 2, 2006 3:15 am|
|Peter Jeremy||Feb 2, 2006 9:02 am|
|Doug Barton||Feb 3, 2006 1:19 am|
|Robert Watson||Feb 3, 2006 3:52 pm|
|Subject:||HEADS UP: Audit integration into CVS in progress, some tree disruption|
|From:||Robert Watson (rwat...@FreeBSD.org)|
|Date:||Feb 1, 2006 10:32:18 pm|
On Wed, 1 Feb 2006, K?vesd?n G?bor wrote:
Robert Watson wrote:
As Wayne and I are in the process of merging the TrustedBSD audit3 branch contents into the FreeBSD CVS HEAD (7-CURRENT), there may be periods where the tree is (hopefully briefly) unbuildable. This integration process will take a couple of days to complete, due to the scope of the changes. So far, the kernel audit framework has been committed (src/sys/security/audit), as has an initial vendor import of OpenBSM for user space (src/contrib/openbsm). What remains to be committed are the substantial changes to gather audit data in system calls, the mappings of system calls to audit events, and integration into the user space build and user space applications (such as login). These bits are the trickier bits as the patches are large and touch a lot of parts of the tree.
I'll send out follow-up e-mail once the worst is past, along with information on what it all means, and how to try it out (for those not already on trustedbsd-audit, who have been hearing about this for a while).
Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcoming 6.1? Or only for 6.2 or later?
It depends a bit how well this shakes out. The code is definitely still "experimental", in that the set of events audited is not yet complete. There are three general sorts of weaknesses in the set of events currently audited:
(1) Our auditing of system calls in compatibility APIs, such as Linux, is not yet complete. A lot of this simply consists of completing the mapping of non-FreeBSD system calls to BSM audit event identifiers. In other cases, we need to add new events or additional argument gathering. For example, the Linux compatibility support includes some Linux-specific system calls that do not appear in Darwin, FreeBSD, or Solaris, and will require specific new event types to be assigned and arguments to be gathered.
(2) Argument gathering for FreeBSD system calls is not complete. A moderate number of new system calls have been added since we began work on the audit code, including support for POSIX message queues and a new mount mechanism. In addition, some current system calls are not fully audited -- for example, ACL-related operations.
(3) Not all user space commands requiring audit support have been modified to perform CAPP-required auditing. For example, sshd doesn't currently have its audit support hooked up (although the support in it for Solaris and Darwin BSM should work on FreeBSD). Things like lpr, adduser, and so on require additional audit support.
Finally, lots of testing is required.
With all this in mind, it is not yet ruled out that we could ship initial "experimental" audit support in 6.1-RELEASE. In fact, the timing is currently such that it will be possible, assuming all goes well, and allowing for the fact that it really will be an experimental feature and not production feature in 6.1. We were quite careful to merge the necessary ABI changes to RELENG_6 before the 6.0 release so that merging it would be possible without breaking existing 6.x device drivers.
Help in continuing development and testing would be most welcome! We'll send out e-mail with details regarding configuring the audit support (etc) once the merge is a bit further along.
Robert N M Watson