allanjude · ltning · Dec 6, 2019 · Dec 6, 2019 · Dec 6, 2019 · Dec 6, 2019
diff --git a/Modirum/README.md b/Modirum/README.md
@@ -0,0 +1,31 @@
+# Modirum audit/bsmtrace framework
+These are the core bits of our auditing and IDS framework It is built around tools that ship with FreeBSD or, in the case of [`bsmtrace(1)`](https://github.com/openbsm/bsmtrace), come from [TrustedBSD](http://www.trustedbsd.org/).
+
+Much of this consists of various kludges written at various points of my 15+ year FreeBSD "carreer". Parts, both old and new, bear resemblence of what a 4-year-old might produce. Which is, I believe, par for the course.
+
+## Moving parts
+### `etc/security/audit_warn`
+This is the script that is run whenever audit logs are rotated (see cron jobs). It will, in roughly this order:
+1. If called directly from `auditd(8)` (using `audit -n`), launch a copy of itself in the background
+2. The background process will fetch current supporting scripts from Puppet, then
+3. ship logs to the log server, and finally
+4. notify if anything went wrong (via syslog)
+
+### `root/hostaudit.sh`
+This is the supporting script mentioned above. It performs a number of tasks, depending on invocation. Some of the key functions are
+- Update the `bsmtrace(1)` configuration based on currently running jails
+- Checksum and sync audit logs to log server
+- Run freebsd-audit IDS and pkg check -s on host and in jails
+- Scan files on disk for card numbers and (optionally) track data
+
+Output from the IDS functions is piped directly to output files on the log server. Audit log files are checksummed, with the checksum written directly to files on the logserver, then compressed and shipped.
+
+
+### `usr/local/etc/bsmtrace.conf`
+Generated automagically from corresponding `bsmtrace.conf.template` by `hostaudit.sh` when called from `audit_warn`. The script adds trusted directories for currently-running jails.
+
+### Log server
+Scripts on the log server periodically compare output from IDS runs to "known good" runs and notifies accordingly.
+Other scripts on the log server periodically verify the checksums of previous audit log files and also verify file ages and such.
+
+These scripts, syslog config, notification mechanisms, etc. is currently outside the scope of this particular project/repo.
diff --git a/Modirum/crontab.root b/Modirum/crontab.root
@@ -0,0 +1,7 @@
+PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
+
+# Puppet Name: jailhosts_audit_n
+0 */6 * * * /usr/sbin/audit -n
+
+# Puppet Name: jailhosts_hostaudit_ids
+20 20 * * * /bin/sh /root/hostaudit.sh ids
diff --git a/Modirum/etc/security/audit_control b/Modirum/etc/security/audit_control
@@ -0,0 +1,12 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#9 $
+# $FreeBSD: release/10.0.0/contrib/openbsm/etc/audit_control 243750 2012-12-01 11:58:08Z rwatson $
+#
+dir:/var/audit
+dist:off
+flags:lo,aa,ad,ex,fc,fd
+minfree:5
+naflags:lo,aa,ad,ex,fc,fd
+policy:cnt,argv
+filesz:0
+expire-after:90d
diff --git a/Modirum/etc/security/audit_warn b/Modirum/etc/security/audit_warn
@@ -0,0 +1,98 @@
+#!/bin/sh
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_warn#3 $
+# $FreeBSD: release/10.0.0/contrib/openbsm/etc/audit_warn 157137 2006-03-26 01:44:35Z rwatson $
+#
+
+logger -p security.warning "audit warning: $@"
+action=$1
+self='audit_warn'
+log="/var/log/${self}.log"
+pidfile="/var/run/${self}.pid"
+child=`mktemp -u -t "${self}_${action}"`
+
+scriptname="hostaudit.sh"
+sleeponfailure=10
+
+cleanup() {
+    [ -f "/tmp/`basename ${0}`" ] && rm -f "/tmp/`basename ${0}`"
+}
+
+case "$action" in
+    closefile)
+        date >> ${log}
+        echo "Using child process from ${child} .." >> ${log}
+        cp $(realpath ${0}) ${child} && daemon -o ${log} -t ${self} -p ${pidfile} -T ${self} /bin/sh `realpath ${child}` logsync
+        rc=$?
+        case $rc in
+            0)
+                echo "NOTICE: $self - Launched logsync in background as ${child} (PID `cat ${pidfile}`)" | tee -a ${log} | logger -p security.warn
+                ;;
+            3)
+                echo "WARNING: $self - Logsync process already running as PID `cat ${pidfile}`" | tee -a ${log} | logger -p security.warn
+                ;;
+            *)
+                echo "CRITICAL: $self - Could not launch logsync process, unknown error (RC=${rc})" | tee -a ${log} | logger -p security.crit
+                ;;
+        esac
+        ;;
+    logsync)
+        for i in `seq 5` ; do
+            [ -f '/var/puppet/state/agent_catalog_run.lock' ] || break
+            echo "NOTICE: $self - Puppet agent run already in progress, sleeping for ${sleeponfailure} seconds." | tee -a ${log} | logger -p security.warn
+            sleep $sleeponfailure
+        done
+
+        for i in `seq 5` ; do
+            /usr/local/bin/puppet agent --test --detailed-exitcodes --tags modirum_auditing --server PUPPETSERVER 2>&1 >> ${log} ; rc=$?
+            if [ $rc -eq 1 ] ; then
+                echo "NOTICE: $self - Could not execute puppet agent, retrying in ${sleeponfailure} seconds." | tee -a ${log} | logger -p security.warn
+                sleep $sleeponfailure
+            else
+                break
+            fi
+        done
+
+        case $rc in
+            1)
+                echo "CRITICAL: $self - Could not execute puppet agent, HIDS not running!" | tee -a ${log} | logger -p security.crit
+                logger -p security.warn "CRITICAL: $self - Could not execute puppet agent, HIDS not running!"
+                exit
+                ;;
+            2)
+                echo "NOTICE: $self - Puppet agent made changes to system. Using new HIDS config." | tee -a ${log} | logger -p security.warn
+                ;;
+            4)
+                echo "WARNING: $self - Puppet agent failed partially, no changes made. Using existing HIDS config." | tee -a ${log} | logger -p security.crit
+                logger -p security.warn "WARNING: $self - Puppet agent failed partially, no changes made. Using existing HIDS config."
+                ;;
+            6)
+                echo "WARNING: $self - Puppet agent failed partially, changes were made to system, HIDS not running!" | tee -a ${log} | logger -p security.crit
+                logger -p security.warn "WARNING: $self - Puppet agent failed partially, changes were made to system, HIDS not running!"
+                exit
+                ;;
+            0)
+                echo "NOTICE: $self - Puppet agent run successfully, no changes made. Using existing HIDS config." | tee -a ${log} | logger -p security.warn
+                ;;
+            *)
+                echo "CRITICAL: $self - Puppet agent exited with unknown exit code, HIDS not running!" | tee -a ${log} | logger -p security.crit
+                logger -p security.warn "CRITICAL: $self - Puppet agent exited with unknown exit code, HIDS not running!"
+                exit
+                ;;
+        esac
+
+        if [ ! -f "/root/${scriptname}" ] ; then
+            echo "CRITICAL: $self - Could not find/load $scriptname !" | tee -a ${log} | logger -p security.crit
+            exit
+        fi
+
+        /bin/sh /root/${scriptname} logsync || echo "CRITICAL: $self - Could not archive logs!" | tee -a ${log} | logger -p security.crit
+        echo "End of logsync." | tee -a ${log} | logger -p security.warn
+        ;;
+    *)
+        ;;
+esac
+
+echo "End of ${self} ${1}." | tee -a ${log} | logger -p security.warn
+trap cleanup EXIT
+exit 0