As Wayne and I are in the process of merging the TrustedBSD audit3 branch
contents into the FreeBSD CVS HEAD (7-CURRENT), there may be periods where
the tree is (hopefully briefly) unbuildable. This integration process will
take a couple of days to complete, due to the scope of the changes. So far,
the kernel audit framework has been committed (src/sys/security/audit), as
has an initial vendor import of OpenBSM for user space
(src/contrib/openbsm). What remains to be committed are the substantial
changes to gather audit data in system calls, the mappings of system calls
to audit events, and integration into the user space build and user space
applications (such as login). These bits are the trickier bits as the
patches are large and touch a lot of parts of the tree.
I'll send out follow-up e-mail once the worst is past, along with
information on what it all means, and how to try it out (for those not
already on trustedbsd-audit, who have been hearing about this for a while).
FYI, the current status is that the merge is continuing. So far we have
- OpenBSM library, commands, man pages, include files, etc.
- sys/security/audit audit event management framework
- etc/rc.d boot script, makefiles
- Mapping of FreeBSD native system calls to audit events.
To go are:
- Mappings of non-native system calls to audit events.
- Auditing of system call arguments.
- Submission of audit records by user space components.
So there are now enough pieces in the tree to configure auditing and see basic
../../../security/audit/audit_bsm_token.c system call traces. More to follow
in the next couple of days.
Robert N M Watson
To Unsubscribe: send mail to majo...@trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message