diff options
author | rwatson <rwatson@FreeBSD.org> | 2012-12-01 15:11:46 +0000 |
---|---|---|
committer | rwatson <rwatson@FreeBSD.org> | 2012-12-01 15:11:46 +0000 |
commit | 991e942bf20fdf0e5d8ef3a6a152c146e904a93a (patch) | |
tree | d64700191d32afaae27cefd774f48054c33975d8 | |
parent | 81b0e0a69f7f1dc223a50bd085c98f86bdf4b6e5 (diff) | |
download | FreeBSD-src-991e942bf20fdf0e5d8ef3a6a152c146e904a93a.zip FreeBSD-src-991e942bf20fdf0e5d8ef3a6a152c146e904a93a.tar.gz |
Merge a number of changes required to hook up OpenBSM 1.2-alpha2's
auditdistd (distributed audit daemon) to the build:
- Manual cross references
- Makefile for auditdistd
- rc.d script, rc.conf entrie
- New group and user for auditdistd; associated aliases, etc.
The audit trail distribution daemon provides reliable,
cryptographically protected (and sandboxed) delivery of audit tails
from live clients to audit server hosts in order to both allow
centralised analysis, and improve resilience in the event of client
compromises: clients are not permitted to change trail contents
after submission.
Submitted by: pjd
Sponsored by: The FreeBSD Foundation (auditdistd)
-rw-r--r-- | etc/defaults/rc.conf | 3 | ||||
-rw-r--r-- | etc/ftpusers | 1 | ||||
-rw-r--r-- | etc/mail/aliases | 1 | ||||
-rw-r--r-- | etc/master.passwd | 1 | ||||
-rw-r--r-- | etc/mtree/BSD.var.dist | 4 | ||||
-rw-r--r-- | etc/rc.d/Makefile | 1 | ||||
-rw-r--r-- | etc/rc.d/auditdistd | 21 | ||||
-rw-r--r-- | share/man/man4/audit.4 | 3 | ||||
-rw-r--r-- | usr.sbin/Makefile | 3 | ||||
-rw-r--r-- | usr.sbin/auditdistd/Makefile | 32 |
10 files changed, 69 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 0efaaa1..cc3e623 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -590,6 +590,9 @@ sendmail_rebuild_aliases="NO" # Run newaliases if necessary (YES/NO). auditd_enable="NO" # Run the audit daemon. auditd_program="/usr/sbin/auditd" # Path to the audit daemon. auditd_flags="" # Which options to pass to the audit daemon. +auditdistd_enable="NO" # Run the audit daemon. +auditdistd_program="/usr/sbin/auditdistd" # Path to the auditdistd daemon. +auditdistd_flags="" # Which options to pass to the auditdistd daemon. cron_enable="YES" # Run the periodic job daemon. cron_program="/usr/sbin/cron" # Which cron executable to run (if enabled). cron_dst="YES" # Handle DST transitions intelligently (YES/NO) diff --git a/etc/ftpusers b/etc/ftpusers index 06b3f49..adb9dcf 100644 --- a/etc/ftpusers +++ b/etc/ftpusers @@ -19,6 +19,7 @@ _pflogd _dhcp uucp pop +auditdistd www hast nobody diff --git a/etc/mail/aliases b/etc/mail/aliases index 5f5cd24..46f5f64 100644 --- a/etc/mail/aliases +++ b/etc/mail/aliases @@ -26,6 +26,7 @@ postmaster: root # General redirections for pseudo accounts _dhcp: root _pflogd: root +auditdistd: root bin: root bind: root daemon: root diff --git a/etc/master.passwd b/etc/master.passwd index 4e1d113..f979940 100644 --- a/etc/master.passwd +++ b/etc/master.passwd @@ -20,6 +20,7 @@ _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin +auditdistd:*:78:77::0:0:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin hast:*:845:845::0:0:HAST unprivileged user:/var/empty:/usr/sbin/nologin nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist index 4481b10..30b901d 100644 --- a/etc/mtree/BSD.var.dist +++ b/etc/mtree/BSD.var.dist @@ -19,6 +19,10 @@ /set gname=audit audit .. + dist uname=auditdistd gname=audit mode=0770 + .. + remote uname=auditdistd gname=wheel mode=0700 + .. /set gname=wheel backups .. diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 245b0c9..aace4b1 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -19,6 +19,7 @@ FILES= DAEMON \ atm2 \ atm3 \ auditd \ + auditdistd \ bgfsck \ bluetooth \ bootparams \ diff --git a/etc/rc.d/auditdistd b/etc/rc.d/auditdistd new file mode 100644 index 0000000..0aa62e8 --- /dev/null +++ b/etc/rc.d/auditdistd @@ -0,0 +1,21 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: auditdistd +# REQUIRE: auditd +# BEFORE: DAEMON +# KEYWORD: nojail shutdown + +. /etc/rc.subr + +name="auditdistd" +rcvar="${name}_enable" +pidfile="/var/run/${name}.pid" +command="/usr/sbin/${name}" +required_files="/etc/${name}.conf" +extra_commands="reload" + +load_rc_config $name +run_rc_command "$1" diff --git a/share/man/man4/audit.4 b/share/man/man4/audit.4 index 167248c..8fbce7d 100644 --- a/share/man/man4/audit.4 +++ b/share/man/man4/audit.4 @@ -96,7 +96,8 @@ to track users and events in a fine-grained manner. .Xr audit_warn 5 , .Xr rc.conf 5 , .Xr audit 8 , -.Xr auditd 8 +.Xr auditd 8 , +.Xr auditdistd 8 .Sh HISTORY The .Tn OpenBSM diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile index 296856b..aaf2483 100644 --- a/usr.sbin/Makefile +++ b/usr.sbin/Makefile @@ -110,6 +110,9 @@ SUBDIR+= amd .if ${MK_AUDIT} != "no" SUBDIR+= audit SUBDIR+= auditd +.if ${MK_OPENSSL} != "no" +SUBDIR+= auditdistd +.endif SUBDIR+= auditreduce SUBDIR+= praudit .endif diff --git a/usr.sbin/auditdistd/Makefile b/usr.sbin/auditdistd/Makefile new file mode 100644 index 0000000..468290b --- /dev/null +++ b/usr.sbin/auditdistd/Makefile @@ -0,0 +1,32 @@ +# +# $FreeBSD$ +# + +OPENBSMDIR=${.CURDIR}/../../contrib/openbsm +.PATH: ${OPENBSMDIR}/bin/auditdistd + +# Addition of auditdistd because otherwise generated parse.c can't find +# auditdistd.h. This seems like a makefile non-feature. +CFLAGS+=-I${OPENBSMDIR} -I${OPENBSMDIR}/bin/auditdistd + +NO_WFORMAT= + +PROG= auditdistd +SRCS= auditdistd.c +SRCS+= parse.y pjdlog.c +SRCS+= proto.c proto_common.c proto_socketpair.c proto_tcp.c proto_tls.c +SRCS+= receiver.c +SRCS+= sandbox.c sender.c subr.c +SRCS+= token.l trail.c +MAN= auditdistd.8 auditdistd.conf.5 + +DPADD= ${LIBL} ${LIBPTHREAD} ${LIBUTIL} +LDADD= -ll -lpthread -lutil +DPADD+= ${LIBCRYPTO} ${LIBSSL} +LDADD+= -lcrypto -lssl + +YFLAGS+=-v + +CLEANFILES=parse.c parse.h parse.output + +.include <bsd.prog.mk> |