www.TrustedBSD.org
Home Developers Documentation Source code ACLs Audit BSMtrace ExtAttr + UFS2 GEOM + GBDE
Mailing Lists News Legal MAC Framework OpenBSM OpenPAM Privileges SEBSD SEDarwin
Trusty

OpenBSM: Open Source Basic Security Module (BSM) Audit Implementation

Perforce: //depot/projects/trustedbsd/openbsm/...

cvsup: p4-cvs-trustedbsd-openbsm

OpenBSM is a portable, open source implementation of Sun's Basic Security Module (BSM) security audit API and file format. BSM, the de facto industry standard for audit, describes a set of system call and library interfaces for managing audit records, as well as a token stream file format that permits extensible and generalized audit trail processing. Records may describe both kernel events, such as system calls, as well as application events, such as login, password changes, etc.

OpenBSM extends the BSM API and file format in a number of ways to support features present in the Mac OS X and FreeBSD operating systems, such as Mach task interfaces, sendfile(), and Linux system calls present in the FreeBSD Linux emulation layer, as well as focusing on portability through an endian-independent version of the trail format.

The OpenBSM distribution provides system include files, the libbsm library, command-line tools such as praudit and auditreduce, sample /etc configuration files, and an audit daemon for use on systems with kernel support. It is appropriate for use stand-alone in processing trails generated by BSM-enabled systems, as well as for use as the foundation of OS audit implementations requiring libraries, command-line tools, etc.

OpenBSM is built and tested on several versions of FreeBSD, Mac OS X, and Linux; some components, such as the audit daemon, require kernel audit support (present in newer versions of FreeBSD and Mac OS X), but the basic library and audit trail tools run on all three platforms regardless of OS kernel support. Written in portable C and built using autoconf/automake, it is easy to adapt OpenBSM for use on new platforms.

History and Vendors

OpenBSM is derived from the BSM audit implementation found in Apple's open source Darwin operating system, generously released by Apple under a BSD license. The Darwin BSM implementation was created by McAfee Research under contract to Apple Computer, and has since been extended by the volunteer TrustedBSD team.

OpenBSM is the core user space component of the TrustedBSD Audit Implementation for FreeBSD, providing tools, libraries, and include files. OpenBSM ships with FreeBSD 6.2 and later, with the first full release of OpenBSM (1.0) in FreeBSD 6.3 and FreeBSD 7.0.

BSMtrace is a BSM-based host intrusion detection system that relies on OpenBSM audit trails.

Mailing List

Discussion of the TrustedBSD Audit implementation, as well as the OpenBSM package, takes place on the trustedbsd-audit mailing list.

Releases

OpenBSM source code is available for download via occasional snapshot and release tarballs, vendor integrated source code (such as the FreeBSD source tree), cvsup, and the TrustedBSD Perforce repository. The current release is OpenBSM 1.0, released on 28 October 2007. Please see the file README present in the OpenBSM distribution for build and installation instructions.

Version Download Size Date Description
1.0 openbsm-1.0.tgz 496K 2007-10-28

OpenBSM 1.0 is the first production release of the OpenBSM code base. Since the last test release, OpenBSM 1.0 alpha 15, a bug leading to a crash in auditreduce(8) has been resolved, and all AU_ constants have been removed. The versions of autoconf and automake used to build OpenBSM have been updated.

Current Development Snapshot

Development snapshots reflect work-in-progress snapshots of the OpenBSM development branch in Perforce. They are appropriate for use in production systems, but consumers of these snapshots should be aware that APIs, file formats, and tools are under active development, and may change at any time. Please see the file README present in the OpenBSM distribution for build and installation instructions.

Version Download Size Date Description
1.1 alpha 2 openbsm-1.1-alpha2.tgz 512K 2008-11-11

In this revision, BSM include files required by OS vendors for use in kernels are broken out into a separate include directory, a configure option is added to force use of native rather than OpenBSM sys includes if desired, strlcpy() and strlcat() are used in preference to less robust APIs, compatibility defines for old Darwin event identifiers are removed, support for exended header tokens (containing host information) is added to the BSM library and auditd(8), and can be set in audit_control(5).

Historical Development Snapshots

This is an archive of past OpenBSM test snapshots; use of these versions is not recommended. These snapshots are from the development of OpenBSM 1.1:

Version Download Size Date Description
1.1 alpha 1 openbsm-1.1-alpha1.tgz 496K 2008-07-31

In this revision, support for Mac OS X 10.5 is introduced, including new events specific to Leopard, and support for the Mach IPC audit trigger method. auditreduce(1) grows an invert flag, and allows selecting of more than one event. A number of bugs are fixed, including in XML trail conversion, BSM record writing, and audit_control file access.

These snapshots are from the development of OpenBSM 1.0:

Version Download Size Date Description
1.0 alpha 15 openbsm-1.0-alpha15.tgz 480K 2007-07-16

Bugs fixed in the handling of IPv6 addresses, auditreduce, and additional audit event identifiers added for new system calls.
1.0 alpha 14 openbsm-1.0-alpha14.tgz 480K 2007-04-16

Support for the zonename token type added, a variety of endian-related bugs in IPv6 addresses fixed, OpenBSM becomes warning clean for gcc1, and various man page updated.
1.0 alpha 13 openbsm-1.0-alpha13.tgz 480K 2006-11-25

Man page documentation substantially imrpved, XML printing support added to praudit(8), and support for more 64-bit token types.
1.0 alpha 12 openbsm-1.0-alpha12.tgz 480K 2006-09-24

audit_control(5) filesz configuration added in order to support automated rotation of audit trails based on file size, regular expression matching for paths added to auditreduce, an audit_warn event is generated on rotation, and a number of other bugs fixed and documentation improved.
1.0 alpha 11 openbsm-1.0-alpha11.tgz 480K 2006-09-20

audit_control(5) control of audit policy is introduced, and and significant number of bugs relating to execve(2) argument auditing and trail rotation are fixed.
1.0 alpha 10 openbsm-1.0-alpha10.tgz 464K 2006-09-02

auditd(8) now submits complete audit records, including full return information, as part of its operation.
1.0 alpha 9 openbsm-1.0-alpha9.tgz 464K 2006-08-26

Many BSM_/bsm_ constants are renamed to AUDIT_/audit_, the audit filter module API has been refined, and a number of bugs have been fixed..
1.0 alpha 8 openbsm-1.0-alpha8.tgz 464K 2006-08-16

Non-Solaris audit events have been renumbered to avoid future collisions, and a unique OpenBSM header token version number has been adopted. A variety of other bugs have been fixed, and cleanups made.
1.0 alpha 7 openbsm-1.0-alpha7.tgz 464K 2006-06-27

Improvements in the creation of subject tokens and in code portability.
1.0 alpha 6 openbsm-1.0-alpha6.tgz 464K 2006-06-02

An experimental audit filter API is introduced, APIs for application-submitted audit records are improved, and bugs are fixed.
1.0 alpha 5 openbsm-1.0-alpha5.tgz 432K 2006-03-04

OpenBSM now uses autoconf/automake, allowing it to build on Mac OS X and Linux.
1.0 alpha 4 openbsm-1.0-alpha4.tgz 86K 2006-02-23

This is the first version of OpenBSM and incorporates the OpenBSM code as present on FreeBSD CVS at this date.

    Copyright 2000-2008 Robert Watson. All rights reserved.
    Copyright 2005 SPARTA, Inc. All rights reserved.
    Copyright 2002, Leigh Denault. All rights reserved.
    Copyright 2002, 2003 Networks Associates, Inc. All rights reserved.
    $P4: //depot/projects/trustedbsd/www/openbsm.page#32 $