7 files changed, 200 insertions, 0 deletions

diff --git a/security/Makefile b/security/Makefile
index cd2dbca4ab4d..190a8f5b86ef 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -344,6 +344,7 @@
     SUBDIR += oinkmaster
     SUBDIR += op
     SUBDIR += openbsm
+    SUBDIR += openbsm-devel
     SUBDIR += opencdk
     SUBDIR += openconnect
     SUBDIR += opencryptoki
diff --git a/security/openbsm-devel/Makefile b/security/openbsm-devel/Makefile
new file mode 100644
index 000000000000..a2502c7addb9
--- /dev/null
+++ b/security/openbsm-devel/Makefile
@@ -0,0 +1,58 @@
+# Created by: Ryan Steinmetz <zi@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	openbsm
+DISTVERSION=	1.2-alpha3
+CATEGORIES=	security
+MASTER_SITES=	http://www.trustedbsd.org/downloads/ \
+    		http://mirrors.rit.edu/zi/
+PKGNAMESUFFIX=	-devel
+EXTRACT_SUFX=	.tgz
+
+MAINTAINER=	zi@FreeBSD.org
+COMMENT=	Open Source Basic Security Module (BSM) Audit Implementation
+
+LICENSE=	BSD
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+CONFLICTS=	openbsm-1.[0-9]*
+
+GNU_CONFIGURE=	yes
+USE_LDCONFIG=	yes
+
+USE_RC_SUBR=	auditdistd
+SUB_FILES=	pkg-message
+PLIST_SUB=	USERS=${USERS} GROUPS=${GROUPS}
+
+USERS=		auditdistd
+GROUPS=		audit
+
+VARAUDIT=	/var/audit
+MAN1=		auditreduce.1 praudit.1
+MAN2=		audit.2	auditctl.2 auditon.2 getaudit.2	getauid.2 setaudit.2 \
+		setauid.2
+MAN3=		au_class.3 au_control.3	au_domain.3 au_errno.3 au_event.3 \
+		au_fcntl_cmd.3 au_free_token.3 au_io.3 au_mask.3 au_open.3 \
+		au_socket_type.3 au_token.3 au_user.3 libauditd.3 libbsm.3
+MAN5=		audit.log.5 auditdistd.conf.5 audit_class.5 audit_control.5 \
+		audit_event.5 audit_user.5 audit_warn.5
+MAN8=		auditfilterd.8 audit.8 auditd.8 auditdistd.8
+
+.include <bsd.port.pre.mk>
+
+.if ${OSVERSION} <= 800000
+IGNORE=		requires FreeBSD 8.x or above
+.endif
+
+.if ${OSVERSION} >= 1000000
+IGNORE=		is not needed under FreeBSD 10.x or higher
+.endif
+
+post-install:
+	@${MKDIR} -m 0770 ${VARAUDIT}/dist
+	@${MKDIR} -m 0700 ${VARAUDIT}/remote
+	@${CHOWN} ${USERS}:${GROUPS} ${VARAUDIT}/dist
+	@${CHOWN} ${USERS}:wheel ${VARAUDIT}/remote
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/openbsm-devel/distinfo b/security/openbsm-devel/distinfo
new file mode 100644
index 000000000000..fcbbd9addfe3
--- /dev/null
+++ b/security/openbsm-devel/distinfo
@@ -0,0 +1,2 @@
+SHA256 (openbsm-1.2-alpha3.tgz) = 88c9035e3c436b6ca5d19e9143bbc2c93b4a579da9e52fe10672cce51bd5a74e
+SIZE (openbsm-1.2-alpha3.tgz) = 691013
diff --git a/security/openbsm-devel/files/auditdistd.in b/security/openbsm-devel/files/auditdistd.in
new file mode 100644
index 000000000000..c8c56f7a6114
--- /dev/null
+++ b/security/openbsm-devel/files/auditdistd.in
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: auditdistd
+# REQUIRE: auditd
+# BEFORE:  DAEMON
+# KEYWORD: nojail shutdown
+
+. /etc/rc.subr
+
+name="auditdistd"
+rcvar="${name}_enable"
+pidfile="/var/run/${name}.pid"
+command="%%PREFIX%%/sbin/${name}"
+required_files="/etc/security/${name}.conf"
+extra_commands="reload"
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/security/openbsm-devel/files/pkg-message.in b/security/openbsm-devel/files/pkg-message.in
new file mode 100644
index 000000000000..688c6845c555
--- /dev/null
+++ b/security/openbsm-devel/files/pkg-message.in
@@ -0,0 +1,70 @@
+===============================================================================
+
+Additional configuration is required if you wish to use auditdistd:
+
+On the receiver, perform the following:
+
+1. Generate a certificate:
+# openssl req -x509 -nodes -newkey rsa:4096 -days 1825 -batch \
+	-out /etc/security/auditdistd.cert.pem \
+	-keyout /etc/security/auditdistd.key.pem
+# chmod 0600 /etc/security/auditdistd.key.pem /etc/security/auditdistd.cert.pem
+# chown root:wheel /etc/security/auditdistd.key.pem /etc/security/auditdistd.cert.pem
+
+2. Print out the public key's fingerprint:
+# openssl x509 -in /etc/security/auditdistd.cert.pem -noout -fingerprint -sha256 | \
+        awk -F '[ =]' '{printf("%s=%s\n", $1, $3)}'
+SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:53:E6:8F:B6:1C:55:30...
+
+3. Generate a password used to authenticate both hosts against eachother:
+# dd if=/dev/urandom bs=32 count=1 | openssl base64 | cut -b -32
+YjwbK69H5cEBlhcT+eJpJgJTFn5B2SrG
+
+4. Create /etc/security/auditdistd.conf configuration file: 
+receiver {
+	host "<enter hostname of sender here> {
+		remote "tls://<enter IP of sender here>"
+		password "<enter password generated above here>"
+	}
+}
+
+5. Update permissions on the auditdistd configuration file:
+# chmod 600 /etc/security/auditdistd.conf
+# chown root:wheel /etc/security/auditdistd.conf
+
+6. Add the following to /etc/rc.conf:
+auditdistd_enable="YES"
+
+7. Start auditdistd:
+service auditdistd start
+
+===============================================================================
+
+On the sender, perform the following:
+
+1. Ensure your kernel is compiled with:
+options		AUDIT
+
+2. Add the following to /etc/rc.conf:
+auditd_enable="YES"
+auditd_program="%%PREFIX%%/sbin/auditd"
+auditdistd_enable="YES"
+
+3. Add the following to /etc/security/audit_control:
+dist:on
+
+4. Create /etc/security/auditdistd.conf configuration file:
+sender {
+	host "<enter hostname of receiver here>" {
+	remote "tls://<enter IP of the receiver here>"
+	fingerprint "SHA256=8F:0A:FC:8A:3D:09:80:AF:D9:AA:38:CC:8A:86:..."
+	password "<enter password generated above here>"
+	}
+}
+
+4. Start the required daemons:
+service auditd start && service auditdistd start
+
+Additional information regarding auditdistd may be found on the OpenBSM wiki:
+https://wiki.freebsd.org/auditdistd
+===============================================================================
diff --git a/security/openbsm-devel/pkg-descr b/security/openbsm-devel/pkg-descr
new file mode 100644
index 000000000000..a915207564c7
--- /dev/null
+++ b/security/openbsm-devel/pkg-descr
@@ -0,0 +1,10 @@
+OpenBSM is an open source implementation of Sun's Basic Security Module (BSM)
+Audit API and file format. BSM, the de facto industry standard for Audit,
+describes a set of system call and library interfaces for managing audit
+records, as well as a token stream file format that permits extensible and
+generalized audit trail processing. OpenBSM extends the BSM API and file
+format in a number of ways to support features present in the Mac OS X and
+FreeBSD operating systems, such as Mach task interfaces, sendfile(), and
+Linux system calls present in the FreeBSD Linux emulation layer.
+
+WWW: http://www.trustedbsd.org/openbsm.html
diff --git a/security/openbsm-devel/pkg-plist b/security/openbsm-devel/pkg-plist
new file mode 100644
index 000000000000..649918b3b0b6
--- /dev/null
+++ b/security/openbsm-devel/pkg-plist
@@ -0,0 +1,38 @@
+include/bsm/audit.h
+include/bsm/audit_domain.h
+include/bsm/audit_errno.h
+include/bsm/audit_fcntl.h
+include/bsm/audit_filter.h
+include/bsm/audit_internal.h
+include/bsm/audit_kevents.h
+include/bsm/audit_record.h
+include/bsm/audit_socket_type.h
+include/bsm/audit_uevents.h
+include/bsm/auditd_lib.h
+include/bsm/libbsm.h
+lib/auditfilter_noop.a
+lib/auditfilter_noop.la
+lib/auditfilter_noop.so
+lib/auditfilter_noop.so.0
+lib/libauditd.a
+lib/libauditd.la
+lib/libauditd.so
+lib/libauditd.so.0
+lib/libbsm.a
+lib/libbsm.la
+lib/libbsm.so
+lib/libbsm.so.0
+sbin/audit
+sbin/auditd
+sbin/auditdistd
+sbin/auditfilterd
+sbin/auditreduce
+sbin/praudit
+@dirrm include/bsm
+@cwd /
+@exec mkdir -m 0770 var/audit/dist
+@exec mkdir -m 0700 var/audit/remote
+@exec chown %%USERS%%:%%GROUPS var/audit/dist
+@exec chown %%USERS%%:wheel var/audit/remote
+@unexec rmdir var/audit/dist 2>/dev/null || true
+@unexec rmdir var/audit/remote 2>/dev/null || true