OpenBSM configuration

OpenBSM is an auditing platform for OS X, Mac OS, FreeBSD, TrusteBSD, OpenBSD and others. It provides logging of operating system level events required by security protocols such as PCI-DSS. It is an open source rewrite of Sun's (now Oracle) Basic Security Module system.

Basics

The system is run entirely in the kernel of the OS with a helper applicaion (auditd(8)) that checks log sizes, manages log file names and can run warning programs. The auditd program is controlled by the audit(1) control program.

Everytime an system call is run, it is checked aginst a list of auditiable events and then details are placed in a que to be written to disk or a special device to assited in logging to an external server.

On a new, lightly configured FreeBSD server with agressive logging this generarates about 6 mb of logs a day which is about 2 gb of data a year that must be backed up, processed and secured.

The main control file is /etc/security/audit_control which contains a line like

flags:lo,aa,ad,fw,fm,fd,ex,aa,ua,pm,ot,na

This line says to log all events involving logging, authentication and authorization, admin, file write, file modify, file delete, execve, other, and non-attributable.

Those categories are defined in /etc/security/audit_class and /etc/security/audit_event.

Note Those are predefined classes and can be changed. All 32 bits of the headers have been used so all existing system calls will be in a list. You can stop logging a specific system call by changing the class in audit_event to no. As an example, I don't want mprotect to be logged as the standard C library uses it to mark memory as non-executable:

#43010:AUE_MPROTECT:mprotect(2):fm
43010:AUE_MPROTECT:mprotect(2):no

When tuning auditing, start by logging everything, and then find out what isn't needed. If there are many changes, it makes sense to redo the entire audit_class file from:

0x00000001:fr:file read
0x00000002:fw:file write
0x00000004:fa:file attribute access
0x00000008:fm:file attribute modify
0x00000010:fc:file create
0x00000020:fd:file delete
0x00000040:cl:file close

to:

0x00000000:no:invalid class
0x00000001:sy:system events
0x00000002:us:user events
0x00000004:da:daemon events

Then change the last part of everything in audit_event to :no except what must be logged:

#23:AUE_EXECVE:execve(2):pc,ex
23:AUE_EXECVE:execve(2):sy,us,da
#37:AUE_SETTIMEOFDAY:settimeofday(2):ad
37:AUE_SETTIMEOFDAY:settimeofday(2):sy

Then check that everything is being logged.

Other issues

For modern compliance, The files created must be configured as unlinkable and append only. The unlinkable breaks auditd's attempt to renmae the file from date-code.not_terminated to date-code.date-code. The system will log in dmesg if auditing is stopped. There may be a sysctl or security level feature the prevents the account system from being stopped. If the auditd process is terminated, the system will keep logging to the last opened log file unil it runs out of space. There an option to have the system panic and stop if the log runs out of disk space. Basic ZFS permissions of "sappnd" and "sunlnk" should stop a hacker from tampering with the files but they may be able to destory the entire disk partition unless kern_securelevel="2" is set in FreeBSD. The auditd system should be patched to allow a chflags: option in audit_control and have the kernel enforce it. The logging of, and ability to stop the logging should be reconsidered in some systems.

The accounting (accton) should also be used.

Auditdistd should be used to send audit logs to a remote system.

Back to Tim's Homepage	Back to current subject	Related Links	thogard@abnormal.com
This page was last updated Monday, 10-Feb-2020 00:07:28 UTC	Copyright 2000-2020		thogard™ is a trademark of Tim Hogard