April 23, 2012

The auditdistd project is complete. Pawel Jakub Dawidek provides the following report regarding the project:

I’m happy to report that the auditdistd project I was working under sponsorship from the FreeBSD Foundation is complete.

The auditdistd daemon is now part of the OpenBSM package and will be available in its next release.

The auditdistd daemon nicely complements the audit framework. It allows one to distribute audit records collected locally with minimal latency to another system. This helps in postmortem analysis, as we know that at least to some point in time audit logs stored on a separate machine can be trusted. This is very important, because once the system is compromised, we cannot trust any of its local files.

One of the most important goals was to make the daemon very secure. We really don’t want any weakness in the auditdistd protocol to allow a break into the machine where audit logs are collected. To achieve this, the daemon makes heavy use of sandboxing mechanisms, including Capsicum, if supported by the operating system.

The daemon can act as a sender, as a receiver, or as both. The whole communication between two auditdistd daemons is secured by TLS encryption. Low latency is achieved by using the kqueue mechanism to monitor local trail files and by sending new audit records as quickly as possible.

For more information on how to setup auditdistd please visit its wiki page.

I’d like to thank the FreeBSD Foundation for sponsoring this project and I hope that it will meet the expectations of the FreeBSD community.