freebsd stable - Aug 2006 - Warning: MFC of security event audit support RELENG_6 in the next 2-3 weeks

Dear 6-STABLE users,

In the next 2-3 weeks, I plan to MFC support for CAPP security eventing 
auditing from 7-CURRENT to 6-STABLE.  The implementation has been running 
quite nicely in -CURRENT for several months.  Right now, I'm just waiting on
a
confirmation from Sun regarding formal allocation of a BSM header version 
number so as to avoid accidental version number conflicts in the future, which 
I hope to get this week, as well as a bug fix in the handling of per-pipe 
preselection, which Christian Peron is currently working on.  The audit 
implementation will be considered an experimental feature in 6.2-RELEASE, but 
in practice runs quite well, so is ready for more wide-spread deployment.

For those who are unfamiliar with it, security event auditing
("audit") is the
fine-grained logging of system security events, from login events to security 
relevant system calls.  The result is a secure audit trail, which can be used 
for post-mortem analysis, intrusion detection, etc.  The FreeBSD 
implementation is based on the Mac OS X audit implementation, implemented by 
my team at McAfee Research a few years ago, which Apple has kindly donated 
under a BSD license.  However, it has been substantially enhanced since 
forking the Apple code.  Additions include infrastructure to support live 
intrusion detection (live "audit pipes" with per-pipe preselection
facilities
independent of the global trail), 64-bit support, additional cross-platform 
portability, endian-independent trail files, and a great number of other 
cleanups, including support for FreeBSD's fine-grained SMP architecture. 
Both Mac OS X and FreeBSD implement Sun's de facto standard BSM API and
audit
trail format (with extensions for FreeBSD and Mac OS X events not present in 
Solaris), so many existing monitoring and analysis tools will run "out of
the
box", and FreeBSD and Mac OS X can be integrated into existing Sun-based
audit
infrastructure without too much work.

While the open source FreeBSD releases have not been evaluated, this 
implementation is intended to be compliant with the CAPP standard's audit 
requirements.  If you are interested in getting FreeBSD evaluated, and have 
been waiting on audit support (I know there are several people out there who 
have talked to me about this in the past), please let me know, and we can talk 
about how this might affect the evaluation of FreeBSD.

Configuring audit requires the addition of "options AUDIT" to your
kernel
configuration file, modification of /etc/rc.conf, and any necessary tweaking 
of /etc/security/audit* to configure.  There are detailed man pages, as well 
as a chapter in the FreeBSD Handbook, thanks to Tom Rhodes, explaining audit 
and audit configuration at a high level.  Feedback on both the documentation 
and implementation would be most welcome; please direct this to the 
trustedbsd-audit@TrustedBSD.org mailing list.  Until the implementation is 
upgraded from "experimental", AUDIT will remain disabled in the
GENERIC kernel
by default.  I hope to compile AUDIT in by default starting around FreeBSD 6.3 
or 6.4, but exactly when will depend on the nature of feedback, bug reports, 
etc, over the next few months.  In its disabled state, some audit code is 
present in userland applications, but should not be run by default.  We 
provide a NO_AUDIT build option to prevent audit support from being compiled 
into user space applications at all, which may be appropriate in embedded 
environments where space constraints are more of a pressing issue.

The integration process will take around a week, and may result in intermitent 
build failures or other unexpected quirks in 6-STABLE.  We have planned this 
fairly carefully in order to minimize disruption, but with any large set of 
source code changes, there is the risk of unexpected consequences.  Once the 
code base to be merged is finalized, I will post a more specific merge 
schedule to the freebsd-stable and trustedbsd-audit mailing lists detailing 
how things will go.  Once the merge is complete, I will post tutorial 
information to various mailing lists for those interested in giving this a 
try.  You can learn more about Audit by reading the handbook chapter, and 
visiting http://www.TrustedBSD.org/audit.html

As an FYI for those interested, we are shipping the user space audit 
components as a portable package, OpenBSM, so that BSM-based applications can 
be built to process Solaris, FreeBSD, and Mac OS X audit trails on a variety 
of platforms, including Linux, older versions of FreeBSD, and other *BSD 
systems.  OpenBSM is present in the contrib tree in the FreeBSD source tree as 
a vendor branch import, and will track the most recent OpenBSM release.  You 
can learn more about this at http://www.OpenBSM.org/.

Robert N M Watson
Computer Laboratory
University of Cambridge

On Wed, 16 Aug 2006, Robert Watson wrote:
> Dear 6-STABLE users,
>
> In the next 2-3 weeks, I plan to MFC support for CAPP security eventing 
> auditing from 7-CURRENT to 6-STABLE.  The implementation has been running 
> quite nicely in -CURRENT for several months.  Right now, I'm just
waiting on
> a confirmation from Sun regarding formal allocation of a BSM header version
> number so as to avoid accidental version number conflicts in the future, 
> which I hope to get this week, as well as a bug fix in the handling of 
> per-pipe preselection, which Christian Peron is currently working on.  The 
> audit implementation will be considered an experimental feature in 
> 6.2-RELEASE, but in practice runs quite well, so is ready for more 
> wide-spread deployment.
Dear 6-STABLE users,

After a couple of weeks of settling, polishing, etc, the MFC of audit support 
is about to begin.  Over the next couple of days, the 6-STABLE build may be 
briefly broken as inter-dependent components are merged.  I do not anticipate 
any serious disruption, but some caution is called for.  In principle, all the 
potentially tricky kernel ABI dependencies, etc, were dealt with before 
6.0-RELEASE, such as changes in the size of the kernel system call data 
structures.  The approximate merge plan, run by re@ a few days ago, is as 
follows:

- Merge OpenBSM contrib subtree detached from build.

- Merge kernel trees (src/sys/bsm, src/sys/security/audit), attach to build.

- Merge kernel audit event hooks across the kernel.  In principle, we've
   reserved space in the syscall table, etc, so that there is no disruptive
   kernel ABI change for critical data structures.

- Merge OpenBSM library and command line tools build, as well as install of
   /etc/security, /etc/rc.d files.

- Merge kernel man pages (src/share/man/man4/audit*).

- Merge user space tool changes, such as to login, sshd, su, etc, so that
   events are audited.

- Loose ends, such as make.conf man page, etc.

- Update Handbook to indicate that Audit applies to 6.x and 7.x.

I will send out a status e-mail once the merge is completed, and send out a 
notice if any problems are encountered.  If you experience any problems, 
especially problems not related to the build (which will likely get picked up 
and fixed quickly, if they occur), please let me know.  I'm especially 
interested in any issues relating to changes in ability to log in, programs 
exiting due to using unrecognized system calls (SIGSYS), etc.  As I said 
above, these sorts of problems are unlikely to occur, but if they do occur, 
I'd like to fix them as quickly as possible.  I would like to have the merge
largely done by 4 September 2006, although it's possible a few straggling 
tweaks will come in after that.

Thanks,

Robert N M Watson
Computer Laboratory
University of Cambridge