Re: HEADS UP: Audit integration into CVS in progress, some tree disruption

From: Robert Watson <rwatson_at_FreeBSD.org>
Date: Wed, 1 Feb 2006 22:32:41 +0000 (GMT)
On Wed, 1 Feb 2006, Kövesdán Gábor wrote:

> Robert Watson wrote:
>
>> As Wayne and I are in the process of merging the TrustedBSD audit3 branch 
>> contents into the FreeBSD CVS HEAD (7-CURRENT), there may be periods where 
>> the tree is (hopefully briefly) unbuildable.  This integration process will 
>> take a couple of days to complete, due to the scope of the changes.  So 
>> far, the kernel audit framework has been committed 
>> (src/sys/security/audit), as has an initial vendor import of OpenBSM for 
>> user space (src/contrib/openbsm).  What remains to be committed are the 
>> substantial changes to gather audit data in system calls, the mappings of 
>> system calls to audit events, and integration into the user space build and 
>> user space applications (such as login).  These bits are the trickier bits 
>> as the patches are large and touch a lot of parts of the tree.
>> 
>> I'll send out follow-up e-mail once the worst is past, along with 
>> information on what it all means, and how to try it out (for those not 
>> already on trustedbsd-audit, who have been hearing about this for a while).
>> 
> Do you plan to merge it to RELENG_6? If so, when? Maybe for the upcoming 
> 6.1? Or only for 6.2 or later?

It depends a bit how well this shakes out.  The code is definitely still 
"experimental", in that the set of events audited is not yet complete.  There 
are three general sorts of weaknesses in the set of events currently audited:

(1) Our auditing of system calls in compatibility APIs, such as Linux, is not
     yet complete.  A lot of this simply consists of completing the mapping of
     non-FreeBSD system calls to BSM audit event identifiers.  In other cases,
     we need to add new events or additional argument gathering.  For example,
     the Linux compatibility support includes some Linux-specific system calls
     that do not appear in Darwin, FreeBSD, or Solaris, and will require
     specific new event types to be assigned and arguments to be gathered.

(2) Argument gathering for FreeBSD system calls is not complete.  A moderate
     number of new system calls have been added since we began work on the
     audit code, including support for POSIX message queues and a new mount
     mechanism. In addition, some current system calls are not fully audited --
     for example, ACL-related operations.

(3) Not all user space commands requiring audit support have been modified to
     perform CAPP-required auditing.  For example, sshd doesn't currently have
     its audit support hooked up (although the support in it for Solaris and
     Darwin BSM should work on FreeBSD).  Things like lpr, adduser, and so on
     require additional audit support.

Finally, lots of testing is required.

With all this in mind, it is not yet ruled out that we could ship initial 
"experimental" audit support in 6.1-RELEASE.  In fact, the timing is currently 
such that it will be possible, assuming all goes well, and allowing for the 
fact that it really will be an experimental feature and not production feature 
in 6.1.  We were quite careful to merge the necessary ABI changes to RELENG_6 
before the 6.0 release so that merging it would be possible without breaking 
existing 6.x device drivers.

Help in continuing development and testing would be most welcome!  We'll send 
out e-mail with details regarding configuring the audit support (etc) once the 
merge is a bit further along.

Thanks,

Robert N M Watson
Received on Wed Feb 01 2006 - 21:30:59 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:51 UTC