Receiving Linux Audit trails with auditdistd

Contents

Receiving Linux Audit trails with auditdistd
1. Modified auditdistd
2. References & notes
  1. Related Linux man pages

Repository

https://github.com/0mp/audisp-auditdistd/

The aim of this project is to develop a solution, which enables receiving audit trails, generated by the Linux Audit subsystem, with the auditdistd daemon running on FreeBSD.

Hit Comments in the Edit Bar to see other solutions and notes, which are otherwise hidden for readability.

Considered solutions

It looks like auditdistd is able to launch on Linux without major problems. It might be a good idea to use it instead of coming up with an entirely new solution. Here are the possible ways to utilize existing auditdistd code:

Helper plugin

Idea
: Create a plugin for the Linux Audit subsystem, which copies files containing audit logs into a separate directory managed only by an auditdistd daemon.

Actually, this approach might result in implementing simpler version of FreeBSD auditd, because this is a program which prepares and manages files auditdistd consumes.

Advantages

The plugin should be able to simulate the FreeBSD-way of adding audit trail files to a directory managed by auditdistd. This way auditdistd doesn't have to be modified (much?) as the log files will appear in its directory like if it was being ran on FreeBSD.

Disadvantages

It might be difficult to simulate the behavior, which auditdistd is expecting from FreeBSD, on Linux.
If we are going to copy the files to a directory managed by an auditdistd daemon, then depending on the Linux Audit subsystem configuration, the solution might be using twice as much disk space to store audit trails because a copy of every audit trail will be stored in files created exclusively for auditdistd needs.

Tasks

#I1 Compare the ways FreeBSD and the Linux Audit subsystem handle audit trail files
- Comment: I've analyzed the auditdistd source code so far. It seems pretty obvious now that the plugin for audispd from the Linux Audit subsystem should be a reimplementation of the OpenBSM auditd daemon. It looks like there are already two implementations: one for Darwin (macOS) and one for FreeBSD.
#I2 Create an implementation of OpenBSM auditd suitable to be used as a plugin for Linux Audit audispd
- #I3 Hack the OpenBSM Linux build
  - Comment: The current state of the OpenBSM Linux build is that auditd and auditdistd seem to compile just fine, except the undefined references to functions and audit syscalls like setaudit, which are not available on Linux.
    - #I4 Do something about the audit system calls and functions missing from libauditd.
      - Comment: The missing functions are: audit_get_cond, setaudit, audit_set_class, audit_set_fsize, audit_set_kmask, audit_set_policy, au_close, auditctl, audit_set_qctrl, audit_set_event, audit_get_qctrl, audit_set_kaudit.
- #I5 Teach the plugin to read audit trails from standard input
- #I6 Remove unnecessary code
  - Comment: Maybe it will solve #2?
  - #I7 Should the plugin create a pidfile? Maybe the value of AUDITD_PIDFILE in auditd.h should be changed?
  - #I8 Change the trigger file name
    - Comment: The trigger file itself might be useful in the future but it should probably be renamed from /dev/auditd.
  - #I9 Should the plugin be audited or should it call auditd_prevent_audit?
    - It will be removed for now.

Reconfigured auditdistd

Idea
: Reconfigure auditdistd, so that it could read log files directly from the Linux Audit auditd daemon directory (/var/log/audit/ seems to be the default one, audit.log being the default file fresh logs are saved to).

Advantages

Probably the simplest solution; the user only has to point auditdistd on Linux to suitable directories and configuration files.

Disadvantages

It's very likely that it is an inherently bad idea to let both auditdistd and the Linux Audit subsystem manage a directory of audit trail files at the same time.

Modified auditdistd

Idea
: Modify auditdistd so that it could be used directly as an plugin for audispd (Linux Audit plugins receive logs through the standard input).

Advantages

One less program involved in the process of sending logs.

Disadvantages

Auditdistd code adaptation and modification, which is a very similar solution to the original idea of creating a brand new Linux Audit plugin capable of communicating with auditdistd running on FreeBSD.

Tasks

#II-5 Set up an environment with Linux and FreeBSD.
- For the time being I'm using Vagrant for that.
- #II-1 Provide a shell script to add files required by auditdistd to run.

#II-11 Port proto files to Linux.
- #II-9 Find a Linux alternative to the proto library used by auditdistd.
  - Search under linux socket networking library.
- #II-10 Try to separate proto files and pjdlog fiels from auditdistd into separate libraries.
  - If there is a Linux alternative to libproto, then use it in the Linux port of auditdistd.

#II-6 Make a connection between Linux auditdistd and FreeBSD auditdistd.
- Also while here:
  - #II-7 Explain the segfault on Linux when killing auditdistd with SIGINT.
  - #II-8 Explain why FreeBSD auditdistd prints [ERROR] [TLS sandbox] (server) SSL I/O error., when Linux auditdistd is trying to establish a connection over the internal audidistd protocol with it.
    - -The auditdistd code has never been tested on Linux-based systems. As a result some ifdefs might be misplaced, especially those controlling various sandboxing technologies like Capsicum.
      - It it not the problem of ifdefs.
    - The whole issue might be irrelevant.

#II-2 Add a thread capable of doing the job of auditd.
- This is it will be possible to use auditdistd directly as a Linux audispd plugin.
- #II-3 Read from stdin.
- #II-4 Write to some dist directory so that auditdistd could read from it.

Files

References & notes

Notes about the auditdistd implementation (MateuszPiotrowski/Audit/Auditdistd)
TrustedBSD
- OpenBSM homepage
  - OpenBSM GitHub repository
Repository of Linux OpenBSM, an abandoned project from 2008 (code.google.com)
- IRC channel: Freenode/#openbsm
Issues:
- Why do we need `#ifndef HAVE_AUDIT_SYSCALLS` in bin/auditdistd/parse.y? (github.com/openbsm/openbsm/issues/)
Old P4 (Perforce) repositories with a lot of very old commits from the beginnings of OpenBSM. There's a lot of information to be found in those commit messages:
- TrustedBSD repository of OpenBSM
- pjd@ repository of OpenBSM

Related Linux man pages

CategoryProject CategoryTodo

MateuszPiotrowski/Audit/ReceivingLinuxAuditTrailsWithAuditdistd (last edited 2018-09-11T09:04:39+0000 by MateuszPiotrowski)