.de Sc
\\s-1\\$1\\s0\\$2
..
.ds cA 2002/150
.ds aR \s-1PSARC\s0
.LP
.so ../../amac
.Co
.ds LF \fI\*(aR/\*(cA\fP
.ds RF \fICopyright 2002 Sun Microsystems\fP
.if n .ds CF
.IP \fBSubject:\fP 15
Secure Remote Audit Log
.IP "\fBSubmitted by:\fP" 15
Tony Panero
.IP \fBFile:\fP 15
\*(aR/\*(cA/opinion.ms
.IP \fBDate:\fP 15
December 4th, 2002
.IP "\fBCommittee:\fP" 15
Ralph Campbell (opinion written by Gary Winiger),
James Carlson,
Joseph Kowalski,
Terrence Miller,
Andy Tucker.
.IP "\fBSteering Committee:\fP" 15
Solaris Operating Environment Steering Committee
.br
soesc-prodteam@sun.com
.sp
Operating Systems and Networking Steering Committee
.br
onsc@sun.com
.pn 2
.NH
Summary
.LP
The project name reflects the original intent of the project and is
a misnomer of the project approved.
A more appropriate name would not include \*Qsecure.\*U
.LP
This project provides a mechanism to send binary audit data to an alternate
and / or secondary destination.
The current audit mechanism only allows recording the binary audit data
in a file.
The alternate or secondary destination is provided for by a plug in to
the audit mechanism.
This project provides a plug in which sends the binary audit data to a
file and one which formats the binary audit data
as human readable syslog messages and forwards them to \fBsyslog\fP(3C)
as audit.notice messages.
Additionally, it defines the \s-1LOG_AUDIT\s0 facility for Solaris to correspond
with the audit facility defined in RFC 3164 [1].
.LP
The structure of this project is such that additional plug ins could be
supported by a future project.
.NH
Decision & Precedence Information
.LP
The project is approved as specified in reference [2].
.LP
The project may be delivered in a micro or patch release of Solaris.
.LP
.NH
Interfaces
.LP
The project exports the following interfaces.
.if n .ne 8
.if t .ne 3
.TS H
box;
c s s
l | l | l.
Interfaces Exported
_
Interface	Classification	Comments
_
.TH
\fBaudit\fP(1M)	Evolving
\fBauditd\fP(1M)	Evolving
\fBaudit_warn\fP(1M)	Evolving	T{
.na
new \*Qplugin\*U subcommand
T}
\fBaudit_plugin\fP(3BSM)	T{
.na
Project Private
T}	T{
.na
\fBauditd\fP(1M) SPI interface
T}
\fBaudit_binfile\fP(5)	Evolving	T{
.na
\fBauditd\fP(1M) plug in to implement the current binary audit trail
T}
\fBaudit_syslog\fP(5)	Evolving	T{
.na
\fBauditd\fP(1M) plug in to write syslog messages
T}
\fBaudit_control\fP(4)	Evolving	new keywords
\fIauditd.h\fP	T{
.na
Project Private
T}	T{
.na
\fBaudit_plugin\fP(3BSM) header
T}
.TE
.LP
The project imports the following interfaces.
.if n .ne 8
.if t .ne 3
.TS H
box;
c s s
l | l | l.
Interfaces Imported
_
Interface	Classification	Comments
_
.TH
\fBauditsvc\fP(2)	Project Private	T{
.nr
See 4.3
T}
\fBaudit_control\fP(4)	Evolving	T{
.na
defines which audit paths are active
T}
\fBsyslog\fP(3C)	Standard
.TE
.NH
Opinion
.LP
.NH 2
Not Secure
.LP
When this project was initially submitted, it intended to use
a secure remote logging protocol.
The project could not find an acceptable standard one.
It is beyond the scope of the project to create one.
Some committee members felt Sun should take a leadership role
in defining such a protocol.
This led to steering committee advice.
Customers requested audit information be available through the syslog
protocol.
The project investigated the various proposals for \*Qsecure\*U syslog
and found a lack of focus and movement toward consensus.
Combining the customer request for syslog and
the goal of remote audit log led to the project as presented.
.NH 2
Structured syslog Messages
.LP
The project proposed to use the syslog protocol [1] to directly
write structured audit trail data to remote host formatted as
XML compatible with \*(aR/2002/377 \*QAudit Trail Translation to XML.\*U
The committee found two major faults with this approach:
the direct formatting and transmission over UDP of syslog
protocol messages and
the precedent of creating structured stable data in syslog.
The committee felt strongly that even to imply stability for one class of
syslog messages would lead to customer calls for stability of all Sun
syslog messages.
The project removed its use of XML and created human readable syslog
message that extract some significant parts of the audit trail data using
\fBsyslog\fP(3C).
.NH 2
\fBauditsvc\fP(2) and \fBaudit_plugin\fP(3BSM)
.LP
This project prompted \*(aR/2002/665 \*QAudit Interface Reclassification,\*U
which reclassified \fBauditsvc\fP(2) as Project Private.
Some committee members expressed concern that the customer(s) who may be
using \fBauditsvc\fP would have their applications break.
The project team pointed out that \*(aR/2002/665 only reclassified
\fBauditsvc\fP and that neither project will actually change the
implementation in an incompatible way.
\fBauditsvc\fP will be announced to be Project Private in the next micro
release and its documentation removed in the next minor release.
.LP
The known customer(s) reluctantly use \fBauditsvc\fP because there has been no
alternative to capture the audit data in real-time for analysis.
Use of \fBauditsvc\fP requires replacing \fBauditd\fP(1M).
Such replacement is not supported by Sun.
This project introduces \fBaudit_plugin\fP(3BSM) which is intended to replace
the need for customer use of \fBauditsvc\fP with a more efficient and stable
interface.
Because \fBaudit_plugin\fP is a new interface, it is being classified as
Project Private.
The project intends to offer contracts [3] to use the \fBaudit_plugin\fP
interfaces to the known \fBauditsvc\fP users.
At the time of a contract is tendered, \fBaudit_plugin\fP and \fIauditd.h\fP
will become Contracted Project Private.
Once \fBaudit_plugin\fP is proven it is expected to be promoted to a public
interface.
.NH 2
\fBauditconfig\fP(1M) not \fBgetopt\fP(3C) Compliant
.LP
A committee member expressed concern with the lack of conformance by
\fBauditconfig\fP(1M) with \fBgetopt\fP(3C).
This project does not modify this command,
rather it only adds notes to the man page.
The command syntax is as it was when integrated in 1992.
No ARC case can be found for the audit mechanism integrations.
The committee concluded that it was outside the scope of this project
to change the command to be \fBgetopt\fP compliant.
.NH 2
\fBsyslog.conf\fP(4) Poorly Worded
.LP
A committee member expressed concern with the use of the word \*Qreserved\*U
in the \fBsyslog.conf\fP(4) man page.
This project has added new information in a similar syntax to the
existing man page.
The committee member's concern would have led to an advisory change
to the project to reword \fBsyslog.conf\fP.
Instead, the project updated the specification.
.br
.NH
Minority Opinion(s)
.LP
None.
.NH
Advisory Information
.LP
.NH 2
Need for Secure Remote Logging of Structured Data Protocol
.LP
During the investigation of this project, a void was uncovered in the
Solaris product line.
No secure remote logging protocol is provided in Solaris.
The steering committees are advised to fund a project to add to Solaris support
for a suitable secure remote logging protocol standard that may be used for
recording structured data.
Such data might include fault events as well as system level audit data.
.NH
Appendices
.NH 2
Appendix A: Technical Changes Required
.LP
None.
.NH 2
Appendix B: Technical Changes Advised
.LP
None.
.NH 2
Appendix C: Reference Material
.LP
Unless stated otherwise, path names are relative to the case
directory \*(aR/\*(cA.
.IP 1.
RFC 3164, The BSD syslog Protocol
.br
File:
final.materials/rfc3164.txt
.IP 2.
Final Specification
.br
File:
final.materials/*
.IP 3.
Prototype Contract
.br
File:
final.materials/contract.proto
.br