LWE-Boston-06-Audit

LWE-Boston-06-Audit

-

English
27 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

A Look At Linux AuditBy Timothy R. ChavezƒƒƒƒƒƒƒOverviewWhat is Linux audit?Components of Linux audit– Audit subsystem– Audit daemons (auditd, audisp)– Administrative ToolsSome backgroundUses for Linux audit– Security– Non-securityCurrent developmentFuture developmentQuestionsƒƒWhat is Linux audit?A system to: – Collect information regarding events occurring on the running system• Kernel events (system-calls)• User events (audit-enabled programs)– Form and log a record describing each event using information collected from that event• Syscall args, subject attributes, object attributes, time, and so on– Analyze the log of recordsComponents of Linux audit– Audit subsystem– Audit daemon– ToolsThe “Big” PictureƒLinux Audit In DepthAudit Subsystem– Configurable• Enable or disable audit in real-time• Dynamically size backlog• Set failure modes• Set rate-limit– Generic Audit framework• SELinux– Robust system-call auditing• Collect information regarding system-calls (for example, system-call args, object attributes, paths, time of execution, and so on)• Granular filtering mechanism– Add or Remove or List system-call filter rulesAudit SubsystemƒLinux Audit In DepthThe Audit Daemon– Responsibility• Log audit records coming from the kernel to the correct audit log or pass it to an audit dispatcher daemon• Communication interface with audit subsystem– Configurable• Set disk space thresholds with corresponding actions• ...

Subjects

Informations

Published by
Reads 15
Language English
Report a problem
A Look At Linux Audit
By Timothy R. Chavez
Overview
ƒWhat is Linux audit?
ƒ
Components of Linux audit
–Audit subsystem
–Audit daemons (auditd, audisp)
–Administrative Tools
ƒSome background
ƒ
Uses for Linux audit
–Security
–Non-security
ƒCurrent development
ƒFuture development
ƒQuestions
What is Linux audit?
ƒ
A system to: –Collect information regarding events occurring on the running system Kernel events (system-calls) User events (audit-enabled programs) –Form and log a record describing each event using information collected from that event Syscall args, subject attributes, object attributes, time, and so on –Analyze the log of records ƒComponents of Linux aud
Components of Linux audit –Audit subsystem –Audit daemon –Tools
The “Big” Picture
Linux Audit In Depth
ƒ
Audit Subsystem
–Configurable
Enable or disable audit in real-time
Dynamically size backlog
Set failure modes
Set rate-limit
–Generic Audit framework
SELinux
–Robust system-call auditing
Collect information regarding system-calls (for example, system-call args, object attributes, paths, time of execution, and so on)
Granular filtering mechanism –Add or Remove or List system-call filter rules
Audit Subsystem
Linux Audit In Depth
ƒ
The Audit Daemon –Responsibility Log audit records coming from the kernel to the correct audit log or pass it to an audit dispatcher daemon Communication interface with audit subsystem –Configurable Set disk space thresholds with corresponding actions Define where audit logs are written, how many logs there can be, how big they can grow, and if they should be rotated Point the audit daemon to an audit dispatcher daemon How and when to write audit records to disk –Application interface libaudit
Linux Audit In Depth
ƒ
Audit Dispatcher Daemon
–Receives audit records from Audit Daemon
–Plug-in framework
Specify multiple input plug-ins, a filter plug-in, and an output plug-in
–Ground work for features like network and database logging
Audit Userspace
Linux Audit In Depth
ƒ
Administrative Tools
–
–
–
–
auditctl
ausearch
aureport
autrace
Example of 'auditctl'
ƒ% auditctl -a exit,always -S open -F inode=`ls -i /etc/auditd.conf | gawk '{print $1}'` ƒ% auditctl -l AUDIT_LIST: exit,always inode=1637178 (0x18fb3a) syscall=open ƒ% tail -2 /var/log/audit/audit.log
% tail -2 /var/log/audit/audit.log type=SYSCALL msg=audit(1138747284.476:573292): arch=40000003 syscall=5 success=yes exit=3 a0=bfa69bc2 a1=8000 a2=0 a3=8000 items=1 pid=5466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cat" exe="/bin/cat" type=PATH msg=audit(1138747284.476:573292): item=0 name="/etc/auditd.conf" inode=1637178 dev=fd:00 mode=0100640  ouid=0 ogid=0 rdev=00:00