OpenBSM is an auditing platform for OS X, Mac OS, FreeBSD, TrusteBSD, OpenBSD and others. It provides logging of operating system level events required by security protocols such as PCI-DSS. It is an open source rewrite of Sun's (now Oracle) Basic Security Module system.
Everytime an system call is run, it is checked aginst a list of auditiable events and then details are placed in a que to be written to disk or a special device to assited in logging to an external server.
On a new, lightly configured FreeBSD server with agressive logging this generarates about 6 mb of logs a day which is about 2 gb of data a year that must be backed up, processed and secured.
The main control file is /etc/security/audit_control which contains a line like
flags:lo,aa,ad,fw,fm,fd,ex,aa,ua,pm,ot,naThis line says to log all events involving logging, authentication and authorization, admin, file write, file modify, file delete, execve, other, and non-attributable.
Those categories are defined in /etc/security/audit_class and /etc/security/audit_event.
Note Those are predefined classes and can be changed. All 32 bits of the headers have been used so all existing system calls will be in a list. You can stop logging a specific system call by changing the class in audit_event to no. As an example, I don't want mprotect to be logged as the standard C library uses it to mark memory as non-executable:
#43010:AUE_MPROTECT:mprotect(2):fm 43010:AUE_MPROTECT:mprotect(2):noWhen tuning auditing, start by logging everything, and then find out what isn't needed. If there are many changes, it makes sense to redo the entire audit_class file from:
0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000008:fm:file attribute modify 0x00000010:fc:file create 0x00000020:fd:file delete 0x00000040:cl:file closeto:
0x00000000:no:invalid class 0x00000001:sy:system events 0x00000002:us:user events 0x00000004:da:daemon eventsThen change the last part of everything in audit_event to :no except what must be logged:
#23:AUE_EXECVE:execve(2):pc,ex 23:AUE_EXECVE:execve(2):sy,us,da #37:AUE_SETTIMEOFDAY:settimeofday(2):ad 37:AUE_SETTIMEOFDAY:settimeofday(2):syThen check that everything is being logged.
The accounting (accton) should also be used.
Auditdistd should be used to send audit logs to a remote system.
|Back to Tim's Homepage||Back to current subject||Related Linksemail@example.com|
|This page was last updated Monday, 10-Feb-2020 00:07:28 UTC||Copyright 2000-2020||thogard is a trademark of Tim Hogard|