OpenBSM 1.1 released

trustedbsd-logo-150x181Robert Watson has announced the release of OpenBSM 1.1, the second production release of OpenBSM.

Major changes since OpenBSM 1.0:

  • Trail files now include host where the trail is generated. Crash  recovery has been improved. Trail expiration based on size and date is now supported; by default trail files will be expired after 10MB of trails. The default individual trail limit is now 2MB.
  • Mac OS X Snow Leopard is now a fully supported platform; launchd(8) can now be used to launchd auditd(8). Command line tools and libraries are now supported on Mac OS X Leopard.
  • Extended header tokens are now supported, allowing audit trails to be tagged with a host identifier. IPv6 addresses are now supported in subject tokens.
  • BSM token and record types have been further synchronized to OpenSolaris; support for many new system calls has been added. Local errors and socket types are mapped to and from BSM values.

The following changes have been made since the last snapshot release, OpenBSM 1.1 beta 1:

  • Change auditon(2) parameters and data structures to be 32/64-bit architecture independent.  Add more information to man page about auditon(2) parameters.
  • Add wrapper functions for auditon(2) to use legacy commands when the new commands are not supported.
  • Add default for ‘expire-after’ in audit_control to expire trail files when the audit directory is more than 10 megabytes (’10M’).
  • Interface to convert between local and BSM fcntl(2) command values has been added:  au_bsm_to_fcntl_cmd(3) and au_fcntl_cmd_to_bsm(3), along with definitions of constants in audit_fcntl.h.
  • A bug, introduced in OpenBSM 1.1 alpha 4, in which AUT_RETURN32 tokens generated by audit_submit(3) were improperly encoded has been fixed.
  • Fix example in audit_submit(3) man page.
  • A new audit event class ‘aa’, for post-login authentication and authorization events, has been added.

OpenBSM releases and snapshots from the OpenBSM project web page

OpenBSM 1.1 beta 1

openbsm-logoRobert Watson has announced the release of OpenBSM 1.1 beta 1; this is a test snapshot of OpenBSM 1.1. The following are the change notes from the OpenBSM NEWS file included with this release:

  •  The filesz parameter in audit_control(5) now accepts suffixes: ‘B’ for Bytes, ‘K’ for Kilobytes, ‘M’ for Megabytes, and ‘G’ for Gigabytes. For legacy support no suffix defaults to bytes.
  • Audit trail log expiration support added. It is configured in audit_control(5) with the expire-after parameter. If there is no expire-after parameter in audit_control(5), the default, then the audit trail files are not expired and removed. See audit_control(5) for more information.
  • Change defaults in audit_control: warn at 5% rather than 20% free for audit partitions, rotate automatically at 2mb, and set the default policy to cnt,argv rather than cnt so that execve(2) arguments are captured if AUE_EXECVE events are audited. These may provide more usable defaults for many users.
  • Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert au_to_socket_ex(3) arguments to BSM format.
  • Fix error encoding AUT_IPC_PERM tokens.

OpenBSM releases and snapshots can be downloaded from the OpenBSM project web page.

This test release is known to build and run (to varying degrees) on FreeBSD 5.x, 6.x, 7.x, 8.x, Mac OS X Leopard, Mac OS X Snow Leopard, and OpenSuse Linux.

Available: OpenBSM 1.1 (alpha 5)

openbsm-logo

Robert Watson has announced a test snapshot of OpenBSM 1.1 (alpha 5)  The following are the change notes from the OpenBSM NEWS file included with this release:

  • Stub libauditd(3) man page added.
  • All BSM error number constants with BSM_ERRNO_.
  • Interfaces to convert between local and BSM socket types and protocol  families have been added: au_bsm_to_domain(3), au_bsm_to_socket_type(3),  au_domain_to_bsm(3), and au_socket_type_to_bsm(3), along with definitions of constants in audit_domain.h and audit_socket_type.h.  This improves interoperability by converting local constant spaces, which vary by OS, to  and from Solaris constants (where available) or OpenBSM constants for  protocol domains not present in Solaris (a fair number).  These routines should be used when generating and interpreting extended socket tokens.
  • Fix build warnings with full gcc warnings enabled on most supported platforms.
  • Don’t compile error strings into bsm_errno.c when building it in the kernel environment.
  • When started by launchd, use the label com.apple.auditd rather than org.trustedbsd.auditd.

This test release is known to build and run (to varying degrees) on FreeBSD 4.x, 5.x, 6.x, 7.x, 8.x, Mac OS X Leopard, Mac OS X Snow Leopard, and OpenSuse Linux.

 

OpenBSM releases and snapshots can be downloaded from the OpenBSM website

Thanks Robert for emailing me.

OpenBSM 1.1 (alpha 4)

openbsm-logoRobert Watson has announced a test snapshot of OpenBSM 1.1 (alpha 4)  The following are the change notes from the OpenBSM NEWS file included with this release:

  • With the addition of BSM error number mapping, we also need to map the local error number passed to audit_submit(3) to a BSM error number, rather than have the caller perform that conversion.
  • Reallocate user audit events to avoid collisions with Solaris; adopt a more formal allocation scheme, and add some events allocated in Solaris that will be of immediate use on other platforms. 
  • Add an event for Calife. 
  • Add au_strerror(3), which allows generating strings for BSM errors directly, rather than requiring applications to map to the local error space, which might not be able to entirely represent the BSM error number space.
  • Major auditd rewrite for launchd(8) support. Add libauditd library that is shared between launchd and auditd. Add AUDIT_TRIGGER_INITIALIZE trigger (sent via ‘audit -i’) for (re)starting auditing under launchd(8) on Mac OS X.
  • Add ‘current’ symlink to active audit trail.
  • Add crash recovery of previous audit trail file when detected on audit startup that it has not been properly terminated.
  • Add the event AUE_audit_recovery to indicated when an audit trail file has been recovered from not being properly terminated. This event is stored in the new audit trail file and includes the path of recovered audit trail file.
  • Mac OS X and FreeBSD dependent code in auditd.c is separated into auditd_darwin.c and auditd_fbsd.c files.
  • Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system calls.
  • For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
  • Add support for NOTICE level logging.

This test release is known to build and run (to varying degrees) on FreeBSD 4.x, 5.x, 6.x, 7.x, 8.x, Mac OS X Leopard, Mac OS X Snow Leopard, and OpenSuse Linux.

OpenBSM releases and snapshots can be downloaded from the OpenBSM website

Thanks Robert for emailing me.

OpenBSM 1.1 alpha 3 snapshot

Robert Watson has announce alph3 of OpenBSM 1.1 

 The following are the change notes from the OpenBSM news file included with this release:

  • Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map between BSM error numbers (largely the Solaris definitions) and local errno(2) values for 32-bit and 64-bit return tokens.  This is required as operating systems don’t agree on some of the values of more recent error numbers.
  • Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the total size for the token.  This bug resulted in “unknown” tokens being printed after the exec args/env tokens.
  • Support for AUT_SOCKET_EX extended socket tokens, which describe a socket using a pair of IPv4/IPv6 and port tuples.
  • OpenBSM BSM file header version bumped for 1.1 release.
  • Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.

OpenBSM releases and snapshots can be downloaded here: http://www.OpenBSM.org/

OpenBSM 1.1 alpha 2 snapshot

Robert Watson announced the release of OpenBSM 1.1 alpha 2, a test snapshot of OpenBSM 1.1.

OpenBSM is a portable, open source implementation of Sun’s Basic Security Module (BSM) security audit API and file format. BSM, the de facto industry standard for audit, describes a set of system call and library interfaces for managing audit records, as well as a token stream file format that permits extensible and generalized audit trail processing. Records may describe both kernel events, such as system calls, as well as application events, such as login, password changes, etc. – source

The following are the change notes from the OpenBSM news file included with this release:

  • Include files in OpenBSM are now broken out into two parts: library builds required solely for user space, and system includes, which may also be required for use in the kernels of systems integrating OpenBSM.
  • Configure option –with-native-includes allows forcing the use of native include for system includes, rather than the versions bundled with OpenBSM. This is intended specifically for platforms that ship OpenBSM, have adapted versions of the system includes in a kernel source tree, and will use the OpenBSM build infrastructure with an unmodified OpenBSM distribution, allowing the customized system includes to be used with the OpenBSM build.
  • Various strcpy()’s/strcat()’s have been changed to strlcpy()’s/strlcat()’s or asprintf(). Added compat/strlcpy.h for Linux.
  • Remove compatibility defines for old Darwin token constant names; now only BSM token names are provided and used.
  • Add support for extended header tokens, which contain space for information on the host generating the record.
  • Add support for setting extended host information in the kernel, which is used for setting host information in extended header tokens. The audit_control file now supports a “host” parameter which can be used by auditd to set the information; if not present, the kernel parameters won’t be set and auditd uses unextended headers for records that it generates.

OpenBSM releases and snapshots can be downloaded from the OpenBSM project web page.

This test release is known to build and run (to varying degrees) on FreeBSD 6.x, 7.x, 8.x, Mac OS X Leopard, and OpenSuse Linux.