freebsd stable - Dec 2012 - MFC: Distributed audit daemon committed (was: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd (fwd)) (fwd)

Dear all:

Just an FYI that the new distributed audit daemon has been MFC'd to
9-STABLE.

As noted in UPDATING, you will need to run "mergemaster -p" before
using
installkernel or installworld targets in order to add the new
"auditdistd"
system user.  This should be part of the regular update cycle anyway, but 
after the experience of adding auditdistd in 10-CURRENT, we've discovered
that
many people are skipping that step in the update cycle, so I figured it best 
to point out here.

(Technically, only installworld requires the user, but the user-check guards 
in the system Makefiles are enforced for both targets.)

More details on the daemon below.

Robert N M Watson
Computer Laboratory
University of Cambridge

---------- Forwarded message ----------
Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
From: Robert Watson <rwatson at FreeBSD.org>
To: current at FreeBSD.org
Cc: security at FreeBSD.org
Subject: Distributed audit daemon committed (was: svn commit: r243752 - in head:
      etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
     usr.sbin/auditdistd (fwd))


Dear all:

I've now committed the build glue required to install the recently merged
Audit
Distribution Daemon (auditdistd) contributed by the Pawel Dawidek, and 
sponsored by the FreeBSD Foundation.  This allows individual hosts generating 
audit trails to submit trails to a central audit server for review and safe 
keeping.  Part of the goal is to ensure that a host submitting trail data
can't
later modify the trails.  Pawel uses a variety of useful security- and 
resilience-related features such as TLS, Capsicum, etc, in auditdistd.  As the 
recent security incident in the FreeBSD.org cluster illustrated, having 
reliable and detailed audit trails makes a big difference in forensic work, and 
hopefully this will allow the FreeBSD Project (and our users) to do that better 
in the future.

Robert N M Watson
Computer Laboratory
University of Cambridge

---------- Forwarded message ----------
Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
From: Robert Watson <rwatson at FreeBSD.org>
To: src-committers at freebsd.org, svn-src-all at freebsd.org,
     svn-src-head at freebsd.org
Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree
     etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd

Author: rwatson
Date: Sat Dec  1 15:11:46 2012
New Revision: 243752
URL: http://svnweb.freebsd.org/changeset/base/243752

Log:
   Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
   auditdistd (distributed audit daemon) to the build:

   - Manual cross references
   - Makefile for auditdistd
   - rc.d script, rc.conf entrie
   - New group and user for auditdistd; associated aliases, etc.

   The audit trail distribution daemon provides reliable,
   cryptographically protected (and sandboxed) delivery of audit tails
   from live clients to audit server hosts in order to both allow
   centralised analysis, and improve resilience in the event of client
   compromises: clients are not permitted to change trail contents
   after submission.

   Submitted by:	pjd
   Sponsored by:	The FreeBSD Foundation (auditdistd)

Added:
   head/etc/rc.d/auditdistd   (contents, props changed)
   head/usr.sbin/auditdistd/
   head/usr.sbin/auditdistd/Makefile   (contents, props changed)
Modified:
   head/etc/defaults/rc.conf
   head/etc/ftpusers
   head/etc/mail/aliases
   head/etc/master.passwd
   head/etc/mtree/BSD.var.dist
   head/etc/rc.d/Makefile
   head/share/man/man4/audit.4
   head/usr.sbin/Makefile

Modified: head/etc/defaults/rc.conf
=============================================================================---
head/etc/defaults/rc.conf	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/etc/defaults/rc.conf	Sat Dec  1 15:11:46 2012	(r243752)
@@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO"	# Run newa
  auditd_enable="NO"	# Run the audit daemon.
  auditd_program="/usr/sbin/auditd"	# Path to the audit daemon.
  auditd_flags=""		# Which options to pass to the audit daemon.
+auditdistd_enable="NO"	# Run the audit daemon.
+auditdistd_program="/usr/sbin/auditdistd"	# Path to the auditdistd 
daemon.
+auditdistd_flags=""	# Which options to pass to the auditdistd daemon.
  cron_enable="YES"	# Run the periodic job daemon.
  cron_program="/usr/sbin/cron"	# Which cron executable to run (if
enabled).
  cron_dst="YES"		# Handle DST transitions intelligently (YES/NO)

Modified: head/etc/ftpusers
=============================================================================---
head/etc/ftpusers	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/etc/ftpusers	Sat Dec  1 15:11:46 2012	(r243752)
@@ -19,6 +19,7 @@ _pflogd
  _dhcp
  uucp
  pop
+auditdistd
  www
  hast
  nobody

Modified: head/etc/mail/aliases
=============================================================================---
head/etc/mail/aliases	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/etc/mail/aliases	Sat Dec  1 15:11:46 2012	(r243752)
@@ -26,6 +26,7 @@ postmaster: root
  # General redirections for pseudo accounts
  _dhcp:	root
  _pflogd: root
+auditdistd:	root
  bin:	root
  bind:	root
  daemon:	root

Modified: head/etc/master.passwd
=============================================================================---
head/etc/master.passwd	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/etc/master.passwd	Sat Dec  1 15:11:46 2012	(r243752)
@@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
  _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
  uucp:*:66:66::0:0:UUCP 
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
  pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
+auditdistd:*:78:77::0:0:Auditdistd unprivileged 
user:/var/empty:/usr/sbin/nologin
  www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
  hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
  nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin

Modified: head/etc/mtree/BSD.var.dist
=============================================================================---
head/etc/mtree/BSD.var.dist	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/etc/mtree/BSD.var.dist	Sat Dec  1 15:11:46 2012	(r243752)
@@ -19,6 +19,10 @@
  /set gname=audit
      audit
      ..
+        dist            uname=auditdistd gname=audit mode=0770
+        ..
+        remote          uname=auditdistd gname=wheel mode=0700
+        ..
  /set gname=wheel
      backups
      ..

Modified: head/etc/rc.d/Makefile
=============================================================================---
head/etc/rc.d/Makefile	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/etc/rc.d/Makefile	Sat Dec  1 15:11:46 2012	(r243752)
@@ -19,6 +19,7 @@ FILES=	DAEMON \
  	atm2 \
  	atm3 \
  	auditd \
+	auditdistd \
  	bgfsck \
  	bluetooth \
  	bootparams \

Added: head/etc/rc.d/auditdistd
=============================================================================---
/dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/etc/rc.d/auditdistd	Sat Dec  1 15:11:46 2012	(r243752)
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: auditdistd
+# REQUIRE: auditd
+# BEFORE:  DAEMON
+# KEYWORD: nojail shutdown
+
+. /etc/rc.subr
+
+name="auditdistd"
+rcvar="${name}_enable"
+pidfile="/var/run/${name}.pid"
+command="/usr/sbin/${name}"
+required_files="/etc/${name}.conf"
+extra_commands="reload"
+
+load_rc_config $name
+run_rc_command "$1"

Modified: head/share/man/man4/audit.4
=============================================================================---
head/share/man/man4/audit.4	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/share/man/man4/audit.4	Sat Dec  1 15:11:46 2012	(r243752)
@@ -96,7 +96,8 @@ to track users and events in a fine-grai
  .Xr audit_warn 5 ,
  .Xr rc.conf 5 ,
  .Xr audit 8 ,
-.Xr auditd 8
+.Xr auditd 8 ,
+.Xr auditdistd 8
  .Sh HISTORY
  The
  .Tn OpenBSM

Modified: head/usr.sbin/Makefile
=============================================================================---
head/usr.sbin/Makefile	Sat Dec  1 13:46:37 2012	(r243751)
+++ head/usr.sbin/Makefile	Sat Dec  1 15:11:46 2012	(r243752)
@@ -110,6 +110,9 @@ SUBDIR+=	amd
  .if ${MK_AUDIT} != "no"
  SUBDIR+=	audit
  SUBDIR+=	auditd
+.if ${MK_OPENSSL} != "no"
+SUBDIR+=	auditdistd
+.endif
  SUBDIR+=	auditreduce
  SUBDIR+=	praudit
  .endif

Added: head/usr.sbin/auditdistd/Makefile
=============================================================================---
/dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/usr.sbin/auditdistd/Makefile	Sat Dec  1 15:11:46 2012 
(r243752)
@@ -0,0 +1,32 @@
+#
+# $FreeBSD$
+#
+
+OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
+.PATH: ${OPENBSMDIR}/bin/auditdistd
+
+# Addition of auditdistd because otherwise generated parse.c can't find
+# auditdistd.h.  This seems like a makefile non-feature.
+CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
+
+NO_WFORMAT+
+PROG=	auditdistd
+SRCS=	auditdistd.c
+SRCS+=	parse.y pjdlog.c
+SRCS+=	proto.c proto_common.c proto_socketpair.c proto_tcp.c proto_tls.c
+SRCS+=	receiver.c
+SRCS+=	sandbox.c sender.c subr.c
+SRCS+=	token.l trail.c
+MAN=	auditdistd.8 auditdistd.conf.5
+
+DPADD=	${LIBL} ${LIBPTHREAD} ${LIBUTIL}
+LDADD=	-ll -lpthread -lutil
+DPADD+=	${LIBCRYPTO} ${LIBSSL}
+LDADD+=	-lcrypto -lssl
+
+YFLAGS+=-v
+
+CLEANFILES=parse.c parse.h parse.output
+
+.include <bsd.prog.mk>
_______________________________________________
freebsd-current at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe at
freebsd.org"

On 12/18/12 16:18, Robert Watson wrote:
>
> Dear all:
>
> Just an FYI that the new distributed audit daemon has been MFC'd to 
> 9-STABLE.
Thanks.
>
> As noted in UPDATING, you will need to run "mergemaster -p"
before
> using installkernel or installworld targets in order to add the new 
> "auditdistd" system user.  This should be part of the regular
update
> cycle anyway, but after the experience of adding auditdistd in 
> 10-CURRENT, we've discovered that many people are skipping that step 
> in the update cycle, so I figured it best to point out here.
>
> (Technically, only installworld requires the user, but the user-check 
> guards in the system Makefiles are enforced for both targets.)
Maybe /usr/src/UPDATING should be updated?
The end of /usr/src/UPDATING mentiones mergemaster -p after the 
installtion of the new kernel and rebooting to single user mode instead 
of before. This is on 9.1-RELEASE and also in CURRENT.

At least the entry in /usr/src/UPDATING on CURRENT for this change

20121201:
         With the addition of auditdistd(8), a new auditdistd user is now
         depended on during installworld.  "mergemaster -p" can be
used
to add
         the user prior to installworld, as documented in the handbook.

should be "prior to installkernel" then also instead of "prior to
installworld"

>
> More details on the daemon below.
>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
>
> ---------- Forwarded message ----------
> Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
> From: Robert Watson <rwatson at FreeBSD.org>
> To: current at FreeBSD.org
> Cc: security at FreeBSD.org
> Subject: Distributed audit daemon committed (was: svn commit: r243752 
> - in head:
>      etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
>     usr.sbin/auditdistd (fwd))
>
>
> Dear all:
>
> I've now committed the build glue required to install the recently 
> merged Audit Distribution Daemon (auditdistd) contributed by the Pawel 
> Dawidek, and sponsored by the FreeBSD Foundation.  This allows 
> individual hosts generating audit trails to submit trails to a central 
> audit server for review and safe keeping.  Part of the goal is to 
> ensure that a host submitting trail data can't later modify the 
> trails.  Pawel uses a variety of useful security- and 
> resilience-related features such as TLS, Capsicum, etc, in 
> auditdistd.  As the recent security incident in the FreeBSD.org 
> cluster illustrated, having reliable and detailed audit trails makes a 
> big difference in forensic work, and hopefully this will allow the 
> FreeBSD Project (and our users) to do that better in the future.
>
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
>
> ---------- Forwarded message ----------
> Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
> From: Robert Watson <rwatson at FreeBSD.org>
> To: src-committers at freebsd.org, svn-src-all at freebsd.org,
>     svn-src-head at freebsd.org
> Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail 
> etc/mtree
>     etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd
>
> Author: rwatson
> Date: Sat Dec  1 15:11:46 2012
> New Revision: 243752
> URL: http://svnweb.freebsd.org/changeset/base/243752
>
> Log:
>   Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
>   auditdistd (distributed audit daemon) to the build:
>
>   - Manual cross references
>   - Makefile for auditdistd
>   - rc.d script, rc.conf entrie
>   - New group and user for auditdistd; associated aliases, etc.
>
>   The audit trail distribution daemon provides reliable,
>   cryptographically protected (and sandboxed) delivery of audit tails
>   from live clients to audit server hosts in order to both allow
>   centralised analysis, and improve resilience in the event of client
>   compromises: clients are not permitted to change trail contents
>   after submission.
>
>   Submitted by:    pjd
>   Sponsored by:    The FreeBSD Foundation (auditdistd)
>
> Added:
>   head/etc/rc.d/auditdistd   (contents, props changed)
>   head/usr.sbin/auditdistd/
>   head/usr.sbin/auditdistd/Makefile   (contents, props changed)
> Modified:
>   head/etc/defaults/rc.conf
>   head/etc/ftpusers
>   head/etc/mail/aliases
>   head/etc/master.passwd
>   head/etc/mtree/BSD.var.dist
>   head/etc/rc.d/Makefile
>   head/share/man/man4/audit.4
>   head/usr.sbin/Makefile
>
> Modified: head/etc/defaults/rc.conf
>
==============================================================================
>
> --- head/etc/defaults/rc.conf    Sat Dec  1 13:46:37 2012 (r243751)
> +++ head/etc/defaults/rc.conf    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO"    # Run newa
>  auditd_enable="NO"    # Run the audit daemon.
>  auditd_program="/usr/sbin/auditd"    # Path to the audit daemon.
>  auditd_flags=""        # Which options to pass to the audit
daemon.
> +auditdistd_enable="NO"    # Run the audit daemon.
> +auditdistd_program="/usr/sbin/auditdistd"    # Path to the
auditdistd
> daemon.
> +auditdistd_flags=""    # Which options to pass to the auditdistd
daemon.
>  cron_enable="YES"    # Run the periodic job daemon.
>  cron_program="/usr/sbin/cron"    # Which cron executable to run
(if
> enabled).
>  cron_dst="YES"        # Handle DST transitions intelligently
(YES/NO)
>
> Modified: head/etc/ftpusers
>
==============================================================================
>
> --- head/etc/ftpusers    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/ftpusers    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -19,6 +19,7 @@ _pflogd
>  _dhcp
>  uucp
>  pop
> +auditdistd
>  www
>  hast
>  nobody
>
> Modified: head/etc/mail/aliases
>
==============================================================================
>
> --- head/etc/mail/aliases    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/mail/aliases    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -26,6 +26,7 @@ postmaster: root
>  # General redirections for pseudo accounts
>  _dhcp:    root
>  _pflogd: root
> +auditdistd:    root
>  bin:    root
>  bind:    root
>  daemon:    root
>
> Modified: head/etc/master.passwd
>
==============================================================================
>
> --- head/etc/master.passwd    Sat Dec  1 13:46:37 2012 (r243751)
> +++ head/etc/master.passwd    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
>  _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
>  uucp:*:66:66::0:0:UUCP 
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
>  pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
> +auditdistd:*:78:77::0:0:Auditdistd unprivileged 
> user:/var/empty:/usr/sbin/nologin
>  www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
>  hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
>  nobody:*:65534:65534::0:0:Unprivileged 
> user:/nonexistent:/usr/sbin/nologin
>
> Modified: head/etc/mtree/BSD.var.dist
>
==============================================================================
>
> --- head/etc/mtree/BSD.var.dist    Sat Dec  1 13:46:37 2012 (r243751)
> +++ head/etc/mtree/BSD.var.dist    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -19,6 +19,10 @@
>  /set gname=audit
>      audit
>      ..
> +        dist            uname=auditdistd gname=audit mode=0770
> +        ..
> +        remote          uname=auditdistd gname=wheel mode=0700
> +        ..
>  /set gname=wheel
>      backups
>      ..
>
> Modified: head/etc/rc.d/Makefile
>
==============================================================================
>
> --- head/etc/rc.d/Makefile    Sat Dec  1 13:46:37 2012 (r243751)
> +++ head/etc/rc.d/Makefile    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -19,6 +19,7 @@ FILES=    DAEMON \
>      atm2 \
>      atm3 \
>      auditd \
> +    auditdistd \
>      bgfsck \
>      bluetooth \
>      bootparams \
>
> Added: head/etc/rc.d/auditdistd
>
==============================================================================
>
> --- /dev/null    00:00:00 1970    (empty, because file is newly added)
> +++ head/etc/rc.d/auditdistd    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +#
> +# $FreeBSD$
> +#
> +
> +# PROVIDE: auditdistd
> +# REQUIRE: auditd
> +# BEFORE:  DAEMON
> +# KEYWORD: nojail shutdown
> +
> +. /etc/rc.subr
> +
> +name="auditdistd"
> +rcvar="${name}_enable"
> +pidfile="/var/run/${name}.pid"
> +command="/usr/sbin/${name}"
> +required_files="/etc/${name}.conf"
> +extra_commands="reload"
> +
> +load_rc_config $name
> +run_rc_command "$1"
>
> Modified: head/share/man/man4/audit.4
>
==============================================================================
>
> --- head/share/man/man4/audit.4    Sat Dec  1 13:46:37 2012 (r243751)
> +++ head/share/man/man4/audit.4    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -96,7 +96,8 @@ to track users and events in a fine-grai
>  .Xr audit_warn 5 ,
>  .Xr rc.conf 5 ,
>  .Xr audit 8 ,
> -.Xr auditd 8
> +.Xr auditd 8 ,
> +.Xr auditdistd 8
>  .Sh HISTORY
>  The
>  .Tn OpenBSM
>
> Modified: head/usr.sbin/Makefile
>
==============================================================================
>
> --- head/usr.sbin/Makefile    Sat Dec  1 13:46:37 2012 (r243751)
> +++ head/usr.sbin/Makefile    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -110,6 +110,9 @@ SUBDIR+=    amd
>  .if ${MK_AUDIT} != "no"
>  SUBDIR+=    audit
>  SUBDIR+=    auditd
> +.if ${MK_OPENSSL} != "no"
> +SUBDIR+=    auditdistd
> +.endif
>  SUBDIR+=    auditreduce
>  SUBDIR+=    praudit
>  .endif
>
> Added: head/usr.sbin/auditdistd/Makefile
>
==============================================================================
>
> --- /dev/null    00:00:00 1970    (empty, because file is newly added)
> +++ head/usr.sbin/auditdistd/Makefile    Sat Dec  1 15:11:46 2012 
> (r243752)
> @@ -0,0 +1,32 @@
> +#
> +# $FreeBSD$
> +#
> +
> +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
> +.PATH: ${OPENBSMDIR}/bin/auditdistd
> +
> +# Addition of auditdistd because otherwise generated parse.c can't
find
> +# auditdistd.h.  This seems like a makefile non-feature.
> +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
> +
> +NO_WFORMAT> +
> +PROG=    auditdistd
> +SRCS=    auditdistd.c
> +SRCS+=    parse.y pjdlog.c
> +SRCS+=    proto.c proto_common.c proto_socketpair.c proto_tcp.c 
> proto_tls.c
> +SRCS+=    receiver.c
> +SRCS+=    sandbox.c sender.c subr.c
> +SRCS+=    token.l trail.c
> +MAN=    auditdistd.8 auditdistd.conf.5
> +
> +DPADD=    ${LIBL} ${LIBPTHREAD} ${LIBUTIL}
> +LDADD=    -ll -lpthread -lutil
> +DPADD+=    ${LIBCRYPTO} ${LIBSSL}
> +LDADD+=    -lcrypto -lssl
> +
> +YFLAGS+=-v
> +
> +CLEANFILES=parse.c parse.h parse.output
> +
> +.include <bsd.prog.mk>

On 12/18/2012 9:18 AM, Robert Watson wrote:
> 
> Dear all:
> 
> Just an FYI that the new distributed audit daemon has been MFC'd to
> 9-STABLE.
> 
> As noted in UPDATING, you will need to run "mergemaster -p"
before using
> installkernel or installworld targets in order to add the new
> "auditdistd" system user.  This should be part of the regular
update
> cycle anyway, but after the experience of adding auditdistd in
> 10-CURRENT, we've discovered that many people are skipping that step in
> the update cycle, so I figured it best to point out here.
> 
> (Technically, only installworld requires the user, but the user-check
> guards in the system Makefiles are enforced for both targets.)
Have you seen misc/174405? Apparently installkernel is requiring the
user as well. The documented process in UPDATING does not mention
running mergemaster -p before [install]kernel.

> 
> More details on the daemon below.
> 
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
> 
> ---------- Forwarded message ----------
> Date: Sat, 1 Dec 2012 15:15:11 +0000 (GMT)
> From: Robert Watson <rwatson at FreeBSD.org>
> To: current at FreeBSD.org
> Cc: security at FreeBSD.org
> Subject: Distributed audit daemon committed (was: svn commit: r243752 -
> in head:
>      etc etc/defaults etc/mail etc/mtree etc/rc.d share/man/man4 usr.sbin
>     usr.sbin/auditdistd (fwd))
> 
> 
> Dear all:
> 
> I've now committed the build glue required to install the recently
> merged Audit Distribution Daemon (auditdistd) contributed by the Pawel
> Dawidek, and sponsored by the FreeBSD Foundation.  This allows
> individual hosts generating audit trails to submit trails to a central
> audit server for review and safe keeping.  Part of the goal is to ensure
> that a host submitting trail data can't later modify the trails.  Pawel
> uses a variety of useful security- and resilience-related features such
> as TLS, Capsicum, etc, in auditdistd.  As the recent security incident
> in the FreeBSD.org cluster illustrated, having reliable and detailed
> audit trails makes a big difference in forensic work, and hopefully this
> will allow the FreeBSD Project (and our users) to do that better in the
> future.
> 
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
> 
> ---------- Forwarded message ----------
> Date: Sat, 1 Dec 2012 15:11:46 +0000 (UTC)
> From: Robert Watson <rwatson at FreeBSD.org>
> To: src-committers at freebsd.org, svn-src-all at freebsd.org,
>     svn-src-head at freebsd.org
> Subject: svn commit: r243752 - in head: etc etc/defaults etc/mail etc/mtree
>     etc/rc.d share/man/man4 usr.sbin usr.sbin/auditdistd
> 
> Author: rwatson
> Date: Sat Dec  1 15:11:46 2012
> New Revision: 243752
> URL: http://svnweb.freebsd.org/changeset/base/243752
> 
> Log:
>   Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
>   auditdistd (distributed audit daemon) to the build:
> 
>   - Manual cross references
>   - Makefile for auditdistd
>   - rc.d script, rc.conf entrie
>   - New group and user for auditdistd; associated aliases, etc.
> 
>   The audit trail distribution daemon provides reliable,
>   cryptographically protected (and sandboxed) delivery of audit tails
>   from live clients to audit server hosts in order to both allow
>   centralised analysis, and improve resilience in the event of client
>   compromises: clients are not permitted to change trail contents
>   after submission.
> 
>   Submitted by:    pjd
>   Sponsored by:    The FreeBSD Foundation (auditdistd)
> 
> Added:
>   head/etc/rc.d/auditdistd   (contents, props changed)
>   head/usr.sbin/auditdistd/
>   head/usr.sbin/auditdistd/Makefile   (contents, props changed)
> Modified:
>   head/etc/defaults/rc.conf
>   head/etc/ftpusers
>   head/etc/mail/aliases
>   head/etc/master.passwd
>   head/etc/mtree/BSD.var.dist
>   head/etc/rc.d/Makefile
>   head/share/man/man4/audit.4
>   head/usr.sbin/Makefile
> 
> Modified: head/etc/defaults/rc.conf
>
=============================================================================>
> --- head/etc/defaults/rc.conf    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/defaults/rc.conf    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO"    # Run newa
>  auditd_enable="NO"    # Run the audit daemon.
>  auditd_program="/usr/sbin/auditd"    # Path to the audit daemon.
>  auditd_flags=""        # Which options to pass to the audit
daemon.
> +auditdistd_enable="NO"    # Run the audit daemon.
> +auditdistd_program="/usr/sbin/auditdistd"    # Path to the
auditdistd
> daemon.
> +auditdistd_flags=""    # Which options to pass to the auditdistd
daemon.
>  cron_enable="YES"    # Run the periodic job daemon.
>  cron_program="/usr/sbin/cron"    # Which cron executable to run
(if
> enabled).
>  cron_dst="YES"        # Handle DST transitions intelligently
(YES/NO)
> 
> Modified: head/etc/ftpusers
>
=============================================================================>
> --- head/etc/ftpusers    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/ftpusers    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -19,6 +19,7 @@ _pflogd
>  _dhcp
>  uucp
>  pop
> +auditdistd
>  www
>  hast
>  nobody
> 
> Modified: head/etc/mail/aliases
>
=============================================================================>
> --- head/etc/mail/aliases    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/mail/aliases    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -26,6 +26,7 @@ postmaster: root
>  # General redirections for pseudo accounts
>  _dhcp:    root
>  _pflogd: root
> +auditdistd:    root
>  bin:    root
>  bind:    root
>  daemon:    root
> 
> Modified: head/etc/master.passwd
>
=============================================================================>
> --- head/etc/master.passwd    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/master.passwd    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user
>  _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
>  uucp:*:66:66::0:0:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
>  pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
> +auditdistd:*:78:77::0:0:Auditdistd unprivileged
> user:/var/empty:/usr/sbin/nologin
>  www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
>  hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin
>  nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 
> Modified: head/etc/mtree/BSD.var.dist
>
=============================================================================>
> --- head/etc/mtree/BSD.var.dist    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/mtree/BSD.var.dist    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -19,6 +19,10 @@
>  /set gname=audit
>      audit
>      ..
> +        dist            uname=auditdistd gname=audit mode=0770
> +        ..
> +        remote          uname=auditdistd gname=wheel mode=0700
> +        ..
>  /set gname=wheel
>      backups
>      ..
> 
> Modified: head/etc/rc.d/Makefile
>
=============================================================================>
> --- head/etc/rc.d/Makefile    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/etc/rc.d/Makefile    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -19,6 +19,7 @@ FILES=    DAEMON \
>      atm2 \
>      atm3 \
>      auditd \
> +    auditdistd \
>      bgfsck \
>      bluetooth \
>      bootparams \
> 
> Added: head/etc/rc.d/auditdistd
>
=============================================================================>
> --- /dev/null    00:00:00 1970    (empty, because file is newly added)
> +++ head/etc/rc.d/auditdistd    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -0,0 +1,21 @@
> +#!/bin/sh
> +#
> +# $FreeBSD$
> +#
> +
> +# PROVIDE: auditdistd
> +# REQUIRE: auditd
> +# BEFORE:  DAEMON
> +# KEYWORD: nojail shutdown
> +
> +. /etc/rc.subr
> +
> +name="auditdistd"
> +rcvar="${name}_enable"
> +pidfile="/var/run/${name}.pid"
> +command="/usr/sbin/${name}"
> +required_files="/etc/${name}.conf"
> +extra_commands="reload"
> +
> +load_rc_config $name
> +run_rc_command "$1"
> 
> Modified: head/share/man/man4/audit.4
>
=============================================================================>
> --- head/share/man/man4/audit.4    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/share/man/man4/audit.4    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -96,7 +96,8 @@ to track users and events in a fine-grai
>  .Xr audit_warn 5 ,
>  .Xr rc.conf 5 ,
>  .Xr audit 8 ,
> -.Xr auditd 8
> +.Xr auditd 8 ,
> +.Xr auditdistd 8
>  .Sh HISTORY
>  The
>  .Tn OpenBSM
> 
> Modified: head/usr.sbin/Makefile
>
=============================================================================>
> --- head/usr.sbin/Makefile    Sat Dec  1 13:46:37 2012    (r243751)
> +++ head/usr.sbin/Makefile    Sat Dec  1 15:11:46 2012    (r243752)
> @@ -110,6 +110,9 @@ SUBDIR+=    amd
>  .if ${MK_AUDIT} != "no"
>  SUBDIR+=    audit
>  SUBDIR+=    auditd
> +.if ${MK_OPENSSL} != "no"
> +SUBDIR+=    auditdistd
> +.endif
>  SUBDIR+=    auditreduce
>  SUBDIR+=    praudit
>  .endif
> 
> Added: head/usr.sbin/auditdistd/Makefile
>
=============================================================================>
> --- /dev/null    00:00:00 1970    (empty, because file is newly added)
> +++ head/usr.sbin/auditdistd/Makefile    Sat Dec  1 15:11:46 2012 (r243752)
> @@ -0,0 +1,32 @@
> +#
> +# $FreeBSD$
> +#
> +
> +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm
> +.PATH: ${OPENBSMDIR}/bin/auditdistd
> +
> +# Addition of auditdistd because otherwise generated parse.c can't
find
> +# auditdistd.h.  This seems like a makefile non-feature.
> +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd
> +
> +NO_WFORMAT> +
> +PROG=    auditdistd
> +SRCS=    auditdistd.c
> +SRCS+=    parse.y pjdlog.c
> +SRCS+=    proto.c proto_common.c proto_socketpair.c proto_tcp.c
> proto_tls.c
> +SRCS+=    receiver.c
> +SRCS+=    sandbox.c sender.c subr.c
> +SRCS+=    token.l trail.c
> +MAN=    auditdistd.8 auditdistd.conf.5
> +
> +DPADD=    ${LIBL} ${LIBPTHREAD} ${LIBUTIL}
> +LDADD=    -ll -lpthread -lutil
> +DPADD+=    ${LIBCRYPTO} ${LIBSSL}
> +LDADD+=    -lcrypto -lssl
> +
> +YFLAGS+=-v
> +
> +CLEANFILES=parse.c parse.h parse.output
> +
> +.include <bsd.prog.mk>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at
freebsd.org"
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at
freebsd.org"

I'm guilty of skipping reboots and just running one mergemaster on
the end of update... But I update _very_ often.

However, I was lucky, because while I was prepared that my usual 
script will fail (I read UPDATING after all), that was not the case, 
as luckily I've already had said audit user from earlier update :)

So well... If you are skipping steps at least update very frequently
to know why it could fail, maybe it will not... 

But by all means stick to canonical way if updating is something 
done once for a while, or you are not tracking commits. Else you
could not even know what hit you ;)

As always, thanks for original work & MFC.



--
View this message in context:
http://freebsd.1045724.n5.nabble.com/MFC-Distributed-audit-daemon-committed-was-svn-commit-r243752-in-head-etc-etc-defaults-etc-mail-etc--tp5770431p5770933.html
Sent from the freebsd-stable mailing list archive at Nabble.com.