27 pages

English

LWE-Boston-06-Audit

Phuem - Tim Chavez

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

27 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

A Look At Linux AuditBy Timothy R. ChavezƒƒƒƒƒƒƒOverviewWhat is Linux audit?Components of Linux audit– Audit subsystem– Audit daemons (auditd, audisp)– Administrative ToolsSome backgroundUses for Linux audit– Security– Non-securityCurrent developmentFuture developmentQuestionsƒƒWhat is Linux audit?A system to: – Collect information regarding events occurring on the running system• Kernel events (system-calls)• User events (audit-enabled programs)– Form and log a record describing each event using information collected from that event• Syscall args, subject attributes, object attributes, time, and so on– Analyze the log of recordsComponents of Linux audit– Audit subsystem– Audit daemon– ToolsThe “Big” PictureƒLinux Audit In DepthAudit Subsystem– Configurable• Enable or disable audit in real-time• Dynamically size backlog• Set failure modes• Set rate-limit– Generic Audit framework• SELinux– Robust system-call auditing• Collect information regarding system-calls (for example, system-call args, object attributes, paths, time of execution, and so on)• Granular filtering mechanism– Add or Remove or List system-call filter rulesAudit SubsystemƒLinux Audit In DepthThe Audit Daemon– Responsibility• Log audit records coming from the kernel to the correct audit log or pass it to an audit dispatcher daemon• Communication interface with audit subsystem– Configurable• Set disk space thresholds with corresponding actions• ...

Informations

Publié par	Phuem
Nombre de lectures	15
Langue	English

Extrait

A Look At Linux Audit

By Timothy R. Chavez

Overview

What is Linux audit?

Components of Linux audit

Audit subsystem

Audit daemons (auditd, audisp)

Administrative Tools

Some background

Uses for Linux audit

Security

Non-security

Current development

Future development

Questions

What is Linux audit?

A system to: Collect information regarding events occurring on the running system •Kernel events (system-calls) •User events (audit-enabled programs) Form and log a record describing each event using information collected from that event •Syscall args, subject attributes, object attributes, time, and so on Analyze the log of records Components of Linux aud

Components of Linux audit Audit subsystem Audit daemon Tools

The “Big Picture

Linux Audit In Depth

Audit Subsystem

Configurable

•Enable or disable audit in real-time

•Dynamically size backlog

•Set failure modes

•Set rate-limit

Generic Audit framework

•SELinux

Robust system-call auditing

•Collect information regarding system-calls (for example, system-call args, object attributes, paths, time of execution, and so on)

•Granular filtering mechanism Add or Remove or List system-call filter rules

Audit Subsystem

Linux Audit In Depth

The Audit Daemon Responsibility •Log audit records coming from the kernel to the correct audit log or pass it to an audit dispatcher daemon •Communication interface with audit subsystem Configurable •Set disk space thresholds with corresponding actions •Define where audit logs are written, how many logs there can be, how big they can grow, and if they should be rotated •Point the audit daemon to an audit dispatcher daemon •How and when to write audit records to disk Application interface •libaudit

Linux Audit In Depth

Audit Dispatcher Daemon

Receives audit records from Audit Daemon

Plug-in framework

•Specify multiple input plug-ins, a filter plug-in, and an output plug-in

Ground work for features like network and database logging

Audit Userspace

Linux Audit In Depth

Administrative Tools

auditctl

ausearch

aureport

autrace

Example of 'auditctl'

% auditctl -a exit,always -S open -F inode=`ls -i /etc/auditd.conf | gawk '{print $1}'` % auditctl -l AUDIT_LIST: exit,always inode=1637178 (0x18fb3a) syscall=open % tail -2 /var/log/audit/audit.log

% tail -2 /var/log/audit/audit.log type=SYSCALL msg=audit(1138747284.476:573292): arch=40000003 syscall=5 success=yes exit=3 a0=bfa69bc2 a1=8000 a2=0 a3=8000 items=1 pid=5466 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cat" exe="/bin/cat" type=PATH msg=audit(1138747284.476:573292): item=0 name="/etc/auditd.conf" inode=1637178 dev=fd:00 mode=0100640 ouid=0 ogid=0 rdev=00:00