Robert Watson has posted a number of status updates relating to various pieces of work going on in the TrustedBSD Project, and in particular, relating to integration of recent changes into the FreeBSD CVS tree for inclusion in the upcoming 6.0 release. This includes a information on verified execution, the MAC Framework, the SEBSD port of NSA's FLASK/TE to FreeBSD, and the new security event audit framework in FreeBSD 6.0.

• Status of three TrustedBSD talks/WIPs at BSDCan 2005
• Status of the verified execution/checksum module for binaries, shared libraries, and kernel modules
• Information on recent work to merge coverage of POSIX semaphores and System V IPC into the MAC Framework in the base system. Also some other socket IPC related cleanup.
• The addition of an extensive set of credential related MAC Framework checks to permit modules such as mac_suidacl to run
• The upcoming release of a new SEBSD ISO, which is the latest version of the port of NSA's FLASK/TE code, also in SELinux, to FreeBSD. FreeBSD 6.x will be even closer to being able to run SEBSD out of the box, but some dependencies still need to be merged.
• Large amounts of work are being done on the TrustedBSD Audit implementation, and the OpenBSM user libraries, documentation, and open source BSM audit tools area almost ready for their first release. OpenBSM is actually a portable cross-platform audit tool suite compatible with Sun's BSM audit API and audit trail format.

From:       Robert Watson [email blocked]
Subject:    Status of various and sundry TrustedBSD/FreeBSD pieces
Date:       2005-05-31 22:01:33

Since I know many people following the TrustedBSD work aren't following 
the FreeBSD or TrustedBSD commit mailing lists, I thought I'd give a brief 
status update on various "works in progress":

- At BSDCan and the associated FreeBSD Developer Summit, presentations
   were given on several TrustedBSD-related topics, including the Audit and
   OpenBSM implementations, the TrustedBSD MAC Framework, SEBSD policy
   module, and the experimental port to Darwin, as well as Christian
   Peron's work on an executable and kernel module checksumming policy
   module, mac_chkexec.

- Christian Peron has integrated his mac_chkexec module and tools into the
   TrustedBSD MAC development branch on the FreeBSD perforce server, as
   well as some tweaks to the MAC Framework required to support proper
   checksumming of shared libraries as they are mapped (this change has
   been merged to FreeBSD 6.x and 5.x).

- Changes to label and enforce protections for POSIX semaphores on FreeBSD
   were merged back to the FreeBSD 6.x tree from the TrustedBSD MAC
   development tree in early May, and will ship as part of FreeBSD 6.0
   later this summer.

- In April a number of enhancements were made to the set of socket-related
   acess control protections, such as protections for accept, poll, and
   others.  These have been merged to the FreeBSD CVS tree for 6.0.

- In April the addition of credential-related checks in the MAC Framework
   was merged to the FreeBSD CVS tree for 6.0.  These allow MAC policies to
   control changes in UNIX credentials, and while not required for our
   labeled policies, are desirable for other hardening policies, such as
   the suidacl policy module from Samy Al Bahra.  The credential changes
   were submitted by Samy.

- In March, the System V IPC labeling and enforcement protections for the
   MAC Framework were merged to the FreeBSD CVS tree for 6.0.

- An updated SEBSD ISO, based on an updated SELinux FLASK/TE drop from
   20040819, as well as updated FreeBSD pieces, has been put together by
   Andrew Reisse and Scott Long.  They're currently testing this release,
   and we hope to get an ISO on the web site in the near future.  The ource
   for all of these changes is in the trustedbsd_sebsd branch currently.
   There are still a number of SEBSD-related changes that haven't been
   merged back to the base FreeBSD tree, such as relating to the labeling
   on cloned pseudo-devices; I met with Poul-Henning Kamp at the FreeBSD
   developer summit and he's cleared the way for these changes to be merged
   into FreeBSD CVS for 6.0.

- Work to merge Audit/BSM to the base FreeBSD tree has now begun; the
   system call table format and structures were updated in the last couple
   of days to hold audit event mapping information, and we're currently
   polishing OpenBSM for a 1.0 release.  The primary obstacles to progress
   here are finishing the cleanup, and waiting on Apple to relicense some
   of the kernel-related files under a BSD license (this is currently in
   the hands of Apple Legal, and should move shortly).  Our hope is to ship
   Audit as an experimental feature in FreeBSD 6.0, and a production
   feature in FreeBSD 6.1.  Many thanks to Wayne Salamon, Tom Rhodes, and
   others for their work on this.  After meeting with Apple two weeks ago
   in Cupertino, it sounds like they're interested in picking up the
   OpenBSM bug fixes and enhancements to the user space BSM library, tools,
   documentation, etc, which would be another great outcome.

So things are coming together nicely for the 6.0 release, although the 
deadlines for it are getting a bit tight!

Robert N M Watson

• Archive of above thread