of 82
7/30/2019 06 Administration&Audit
1/82
1
Chng 6: Qun tr v Kim sot
Vn Qun tr:Cc quy tc an ninh
nh gi ri roCc l hng bo mt
7/30/2019 06 Administration&Audit
2/82
2
Chu trch nhim
Ngi dng phi c gim st v chu trchnhim v hnh ng (c hoc v tnh)
S dng k thut kim sot hoc ghi nhnhnh ng.
Xc thc ngi thc hin hnh ng
7/30/2019 06 Administration&Audit
3/82
3
Xc thc a nhn t
Xc thc nhm xc minh ngi dng v xcnh quyn hn
S dng nhiu nhn t xc thc lm tng an ton.
H thng ATM:
Xc thcqua th v m PIN.
7/30/2019 06 Administration&Audit
4/82
4
Quyn hn ti thiu
Khng nng quyn hn cho ngi dng thngthng
Chng trnh ng dng c chy vi quynti thiu thc hin chc nng
Ngi pht trin ng dng khng cn cp
quyn ti cao trong h thng. Hn ch ti thiu s lng account qun tr
Xem xt k lng cc ti khon qun tr khixy ra tn cng
7/30/2019 06 Administration&Audit
5/82
5
Mail server
Mail Server nhn mail t Internet v copy vo thmc spool
A local server will complete delivery Mail Server cn c quyn truy cp ti cng cn
thit, to file trong th mc spool v thay i chng So it can copy the message into the file, rewrite the
delivery address if needed
Cn g b quyn sau khi kt thc vic ghi file Because it does not need to access that file again
7/30/2019 06 Administration&Audit
6/82
Quy tc Sai An ton
Hnh ng mc nh l t chi truy cp
Nu hnh ng tht bi, m bo h thng trli trng thi an ton nh trc khi bt u
7/30/2019 06 Administration&Audit
7/82
7
Mail server
Nu Mail Server khng th to file trong th mcspool: Nn ng kt ni, bo li, v dng.
Khng nn c gng lu tr email ti 1 ni khchoc tng quyn lu tr
An attacker could use that ability to overwrite other files orfill up other disks
Th mc spool ch nn cho php mail server to/ghiv local server c/xa.
7/30/2019 06 Administration&Audit
8/82
C ch tit kim
K thut an ninh cng n gin cng ttKISS Principle
n gin hn ~ cng t sai stAnd when errors occur, they are easier to
understand and fix
Vn giao din vi cc module hoctng tc vi cc h thng khcModules often make implicit assumptions about
input or output parameters
7/30/2019 06 Administration&Audit
9/82
9
Giao thc finger
Giao thcfingertr li thng tin v h thng.
Chng trnh client thng gi thit rng server tr
v kt qu theo ng nh dng. K tn cng c th to server tr v 1 chui v
hn k t, khi client kt ni ti v in ra ton b kt
qu tr v -> trn ngp a v cc file logs This is an example of incorrect assumptions about the inputto the client
7/30/2019 06 Administration&Audit
10/82
Kim tra ton din
Kim tra tt c cc truy cp
Sai st: Thng ch kim tra 1 ln, khi hnhng u tin din raUNIX: access checked on open, not checked
thereafter
Nu quyn truy cp thay i ngay sau ,c th cc truy cp tri php s c choqua
7/30/2019 06 Administration&Audit
11/82
DNS Cache
DNS lu thng tin nh x gi tn host va ch bng thng tin m.
K tn cng c th u c cythng tin nh x sai lch vo bngcache,vic phn gii a ch s b sai.One host will route connections to another host
incorrectly
7/30/2019 06 Administration&Audit
12/82
Thit k m
Cc k thut an ninh khng nn da trn sb mt v thit k hoc thc thi
Popularly misunderstood to mean that sourcecode should be public
Security through obscurity
Does not apply to information such aspasswords or cryptographic keys
7/30/2019 06 Administration&Audit
13/82
Phn tch quyn hn
Cn kim tra nhiu iu kin trc khi cpquyn
Separation of dutyDefense in depth
HH Unix (phin bn Berkeley) ch cho
php user chuyn sang rootkhi Bit mt khu root
Thuc nhm wheel
7/30/2019 06 Administration&Audit
14/82
Hn ch chia s
Truy cp khng nn chia sInformation can flow along shared channels
Covert channels
Tch bitVirtual machines
Sandboxes
7/30/2019 06 Administration&Audit
15/82
Web site TMT
Web site cung cp dch v TMT cho 1 cng ty
K tn cng mun lm tn hi doanh thu ca ctyThey flood the site with messages and tie up the
electronic commerce services
Legitimate customers are unable to access the Web
site and, as a result, take their business elsewhere. Nguyn nhn: Chia s knh truy cp Internet vi
site ca hacker
7/30/2019 06 Administration&Audit
16/82
Web site TMT
i ph: Hn ch s truy cp ca k tn cngProxy Servers: Purdue SYN intermediary - detect
the suspect connectionsTraffic throttling: Reduces the load on the relevant
segment of the network indiscriminately
7/30/2019 06 Administration&Audit
17/82
S chp nhn v mt tm l
Cc k thut an ninh khng nn lm gia tngs phc tp trong truy cp ti nguyn
Hide complexity introduced by securitymechanisms
Ease of installation, configuration, use
Human factors critical here Thc t, cc k thut an ninh c lm gia tng
1 phn s phc tp, nhng mc hp l
7/30/2019 06 Administration&Audit
18/82
Thay i thit lp email
Ngi dng phi cung cp li mt khu khimun thay i mt khu.
Cc thay i khc khng yu cu cung cp limt khu.
7/30/2019 06 Administration&Audit
19/82
19
nh gi ri ro
Xc nh mc nhy cm ca h thng Xc nh cc thng tin c xem l quan trng ca t chc.
Cc h thng x l, truyn ti, lu tr .v.v thng tin quan trng thcng tr nn quan trng.
Xc nh cc ri ro h thng c th gp phi L hng bo mt (Vulnerabilities)
Cc mi e da (Threats): Con ngi, mi trng, bn trong, bnngoi, c , v
7/30/2019 06 Administration&Audit
20/82
20
nh gi ri ro
Xc nh cc bin php phng chng Cc phng php lm gim nh hoc loi tr mi e da
(gii php k thut, gii php chnh sch .v.v) Xc nh thit hi khi xy ra s c
Ti chnh, hnh nh, php l
7/30/2019 06 Administration&Audit
21/82
21
nh gi ri ro
Xc nh mc thit hi chp nhn c Lin quan n chi ph ca cc phng n i ph
Trin khai k hoch i ph ri ro Nm trong khong ri ro chp nhn c cho n mc c
th loi b hon ton s c.
7/30/2019 06 Administration&Audit
22/82
Slide #21-22
Vn kim sot
Tng quan v kim sot?
Hot ng ca h thng kim sot
Thit k h thng kim sot
Cc k thut kim sot
Examples: NFSv2, LAFS
7/30/2019 06 Administration&Audit
23/82
Slide #21-23
What is Auditing?
Logging: Ghi nhnRecording events or statistics to provide
information about system use and performance
Auditing: Kim sotAnalysis of log records to present information
about the system in a clear, understandablemanner
7/30/2019 06 Administration&Audit
24/82
Slide #21-24
Mc ch
M t trng thi an ninhDetermine if system enters unauthorized state
nh gi hiu qu ca c ch bo vDetermine which mechanisms are appropriate
and working
Deter attacks because of presence of record
7/30/2019 06 Administration&Audit
25/82
Slide #21-25
Vn
Ghi nhn nhng g?Hint: looking for violations of a policy, so
record at leastwhat will show such violations
Kim sot nhng g?Need not audit everything
Key: what is the policy involved?
7/30/2019 06 Administration&Audit
26/82
Slide #21-26
Cu trc h thng kim sot
LoggerRecords information, usually controlled by
parameters Analyzer
Analyzes logged information looking forsomething
NotifierReports results of analysis
7/30/2019 06 Administration&Audit
27/82
Slide #21-27
Logger
Chng loi, s lng thng tin cn ghi nhnc xc nh tham s cu hnh h thng
C th dng c c hoc khngIf not, usually viewing tools supplied
Space available, portability influence storage
format
7/30/2019 06 Administration&Audit
28/82
Slide #21-28
Example: RACF
Phn mm tng cng an ninh truy cp hthng cho cc HH z/OS v z/MV
Ghi nhn cc ng nhp tht bi, vic sdng quyn thay i cp an ninh
Xem s kin bng lnh LISTUSERS
7/30/2019 06 Administration&Audit
29/82
Slide #21-29
RACF: Sample Entry
USER=EW125004 NAME=S.J.TURNER OWNER=SECADM CREATED=88.004DEFAULT-GROUP=HUMRES PASSDATE=88.004 PASS-INTERVAL=30ATTRIBUTES=ADSPREVOKE DATE=NONE RESUME-DATE=NONELAST-ACCESS=88.020/14:15:10CLASS AUTHORIZATIONS=NONENO-INSTALLATION-DATA
NO-MODEL-NAMELOGON ALLOWED (DAYS) (TIME)--------------------------------ANYDAY ANYTIME
GROUP=HUMRES AUTH=JOIN CONNECT-OWNER=SECADMCONNECT-DATE=88.004
CONNECTS= 15 UACC=READ LAST-CONNECT=88.018/16:45:06CONNECT ATTRIBUTES=NONEREVOKE DATE=NONE RESUME DATE=NONE
GROUP=PERSNL AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE:88.004CONNECTS= 25 UACC=READ LAST-CONNECT=88.020/14:15:10CONNECT ATTRIBUTES=NONEREVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIEDCATEGORY AUTHORIZATION
NONE SPECIFIED
7/30/2019 06 Administration&Audit
30/82
Slide #21-30
Example: Windows NT
S dng cc logs khc nhau cho cc s kin System eventlogs record system crashes, component failures, and
other system events
Application eventlogs record events that applications request berecorded Security eventlog records security-critical events such as logging
in and out, system file accesses, and other events
Logs c ghi dng nh phn; dng event viewer xem
Nu logs y, c th lm h thng shut down, dng ghilogs, hoc ghi .
7/30/2019 06 Administration&Audit
31/82
Slide #21-31
Windows NT Sample Entry
Date: 2/12/2000 Source: Security
Time: 13:03 Category: Detailed Tracking
Type: Success EventID: 592
User: WINDSOR\Administrator
Computer: WINDSOR
Description:
A new process has been created:
New Process ID: 2216594592
Image File Name:
\Program Files\Internet Explorer\IEXPLORE.EXE
Creator Process ID: 2217918496
User Name: Administrator
FDomain: WINDSOR
Logon ID: (0x0,0x14B4c4)
[would be in graphical format]
7/30/2019 06 Administration&Audit
32/82
Slide #21-32
Analyzer: B phn tch
Phn tch cc thng tin ghi trong logsLogs may come from multiple systems, or a
single systemMay lead to changes in logging
May lead to a report of an event
7/30/2019 06 Administration&Audit
33/82
Slide #21-33
Examples
Dng lnhswatchtm cc phin kt ni telnetttcpdlogs:
/telnet/&!/localhost/&!/*.site.com/
B phn tch pht hin xm nhp Takes data from sensors and determines if an intrusion
is occurring
7/30/2019 06 Administration&Audit
34/82
Slide #21-34
Notifier: Cnh bo
Thn bo cho ngi phn tch v cc itng khc kt qu phn tch
C th cu hnh li hot ng log hoc hotng phn tch trn c s kt qu thu c
7/30/2019 06 Administration&Audit
35/82
Slide #21-35
Examples
Dng lnhswatch cnh bo v telnets/telnet/&!/localhost/&!/*.site.com/ mail staff
3 ln ng nhp tht bi s kha ti khonngi dngNotifier disables account, notifies sysadmin
7/30/2019 06 Administration&Audit
36/82
Slide #21-36
Thit k h thng kim sot
L thnh phn c bn ca c ch an ninh
Mc tiu kim sot s xc nh nhng g c ghi
nhn: Idea: auditors want to detect violations of policy, whichprovides a set of constraints that the set of possible
actions must satisfy
So, audit functions that may violate the constraints Constraintpi : actioncondition
7/30/2019 06 Administration&Audit
37/82
Slide #21-37
Example: Bell-LaPadula
Simple security condition and *-property Sreads OL(S) L(O)
Swrites OL(S) L(O) kim tra vi phm, khi din ra cc hot ng c/ghi,phi ghi nhnL(S),L(O), hnh ng (read, write), v ktqu (success, failure)
Note: need notrecord S, O! In practice, done to identify the object of the (attempted)violation and the user attempting the violation
7/30/2019 06 Administration&Audit
38/82
Slide #21-38
Cc vn trong thc thi
Ch ra trng thi h thng khng an ton hay kimsot cc vi phm?
Former requires logging initial state as well as changes Xc nh vi phm Does write include append and create directory?
i tng c nhiu tn Logging goes by objectand not name
Representations can affect this (if you read raw disks,youre reading files; can your auditing systemdetermine which file?)
7/30/2019 06 Administration&Audit
39/82
Slide #21-39
Vn v c php
D liu c ghi nhn c th khng r rngBSM: two optional text fields followed by two
mandatory text fieldsIf three fields, which of the optional fields is
omitted?
Gii php: S dng ng php m boc php ca cc file logs
7/30/2019 06 Administration&Audit
40/82
Slide #21-40
Example
entry : date host prog [ bad ] user [ from host ] to
user on tty
date : daytime
host : string
prog : string :
bad : FAILED
user : string
tty : /dev/ string
Log file entry format defined unambiguously
Audit mechanism could scan, interpret entries withoutconfusion
7/30/2019 06 Administration&Audit
41/82
Slide #21-41
More Syntactic Issues
Ng cnhUnknown user uses anonymousftp to retrieve
file /etc/passwdLogged as suchProblem: which /etc/passwd file?
One in system /etc directory
One in anonymousftp directory /var/ftp/etc, and asftp thinks /var/ftp is the root directory, /etc/passwdrefers to /var/ftp/etc/passwd
7/30/2019 06 Administration&Audit
42/82
Slide #21-42
Lm sch Log
Utp ngi dng,Pchnh sch nh ngha tp thng tinC(U) m Ukhng th truy cp; Log c lm sch khi ttc thng tin trong C(U) c xa t log
Hai loi chnh sch C(U) cant leave site People inside site are trusted and information not sensitive to them
C(U) cant leave system People inside site not trusted or (more commonly) information
sensitive to them Dont log this sensitive information
7/30/2019 06 Administration&Audit
43/82
Slide #21-43
T chc Logs
S trn: Ngn chn thng tin tit l ra khi site Users privacy not protected from system administrators, other administrative
personnel S di: Ngn chn thng tin tit l ra khi h thng
Data simply not recorded, or data scrambled before recording
Logging system Log UsersSanitizer
Logging system Log UsersSanitizer
7/30/2019 06 Administration&Audit
44/82
Slide #21-44
Ti to
Anonymizing sanitizer: B lm sch khngth khi phc
No way to recover data from this Pseudonymizing sanitizer:C th khi phc
Original log can be reconstructed
ImportanceSuppose security analysis requires access to
information that was sanitized?
7/30/2019 06 Administration&Audit
45/82
Slide #21-45
Vn
Mu cht: Lm sch log phi gi li ccc c im cn thit phn tch an ninh
Nu cc thuc tnh mi c thm vo (dothay i trong qu trnh phn tch), c thphi lm sch li thng tin
This requires pseudonymous sanitization or theoriginal log
7/30/2019 06 Administration&Audit
46/82
Slide #21-46
Example
Mt cng ty mun gi b mt a ch IP, nhngmun chuyn gia t vn phn tch logs xcminh tn cng qut a ch. Connections to port 25 on IP addresses 10.163.5.10,
10.163.5.11, 10.163.5.12, 10.163.5.13, 10.163.5.14,10.163.5.15
Sanitize with random IP addresses
Cannot see sweep through consecutive IP addresses Sanitize with sequential IP addresses
Can see sweep through consecutive IP addresses
7/30/2019 06 Administration&Audit
47/82
Slide #21-47
To cc d liu gi
1. To ra tp cc d liu gi thay th cho cc d liu nhycm (gi c cc tnh cht cn thit cho phn tch) Replace data with pseudonyms
Maintain table mapping pseudonyms to data
2. Dng mt kha ngu nhin m ha d liu nhy cm vdng phng php chia s b mt chia s kha Used when insiders cannot see unsanitized data, but outsiders (law
enforcement) need to Requires tout ofn people to read data
7/30/2019 06 Administration&Audit
48/82
Slide #21-48
Application Logging
Applications logs: To bi cc ng dngApplications control what is logged
Typically use high-level abstractions such as:su: bishop to root on /dev/ttyp0
smtp: delivery failed; could not connect to
abcxy.net:25
Does not include detailed, system call levelinformation such as results, parameters, etc.
7/30/2019 06 Administration&Audit
49/82
Slide #21-49
System Logging
Ghi nhn cc s kin ca h thng (e.g cc hnh ng caHH) Typically use low-level events
3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8)
3876 ktrace NAMI "/usr/bin/su"
3876 ktrace NAMI "/usr/libexec/ld-elf.so.1"
3876 su RET xecve 0
3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0)
3876 su RET __sysctl 0
3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0)
3876 su RET mmap 671473664/0x2805e000
3876 su CALL geteuid
3876 su RET geteuid 0
Does not include high-level abstractions such as loading libraries(as above)
7/30/2019 06 Administration&Audit
50/82
Slide #21-50
So snh
C trng tm gim st khc nhau Application logging focuses on application events, like failure to
supply proper password, and the broad operation (what was thereason for the access attempt?)
System logging focuses on system events, like memory mapping orfile accesses, and the underlying causes (why did access fail?)
System logs thng ln hn nhiu so vi application logs C th thc hin c 2 v xy dng tng quan gia chng
7/30/2019 06 Administration&Audit
51/82
Slide #21-51
Design
A posterioridesign: Thit k sau Cn thit k c ch kim sot cho cc h thng c
xy dng m cha ch trng ti an ninh.
Mc tiu ca kim sot Pht hin ra bt k s vi phm chnh sch no
Focus is on policy and actions designed to violate policy;specific actions may not be known
Pht hin ra cc hnh ng lin quan ti n lc xmphm an ninh Focus on specific actions that have been determined to indicate
attacks
7/30/2019 06 Administration&Audit
52/82
Slide #21-52
Pht hin vic vi pham chnh sch
Mc tiu: H thng c chuyn ti 1 trngthi khng c php khng?
Hai dng thcState-based auditing
Look at current state of system
Transition-based auditing Look at actions that transition system from one state
to another
7/30/2019 06 Administration&Audit
53/82
Slide #21-53
State-Based Auditing
Ghi nhn thng tin v trng thi v xc nhnu trng thi l c php
Assumption: you can get a snapshot of systemstateSnapshot needs to be consistentNon-distributed system needs to be quiescent
Distributed system can use some algorithms, toobtain this
7/30/2019 06 Administration&Audit
54/82
Slide #21-54
Example
Cng c kim sot h thng fileThought of as analyzing single state (snapshot)
In reality, analyze many slices of different stateunless file system quiescentPotential problem: if test at end depends on
result of test at beginning, relevant parts of
system state may have changed between thefirst test and the last
Classic TOCTTOU flaw
7/30/2019 06 Administration&Audit
55/82
Slide #21-55
Transition-Based Auditing
Ghi nhn thng tin v hnh ng, v kimtra trng thi hin ti + thao tc chuyn
xc nh xem trng thi mi c c php?Note: just analyzing the transition may not be
enough; you may need the initial state
Tend to use this when specific transitionsalways require analysis (for example, change ofprivilege)
7/30/2019 06 Administration&Audit
56/82
Slide #21-56
Example
C ch kim sot kt ni TCP can thip cckt ni TCP v kim tra xem c nm trong
danh sch kt ni b cm khngObtains IP address of source of connection
Logs IP address, port, and result
(allowed/blocked) in log filePurely transition-based (current state not
analyzed at all)
7/30/2019 06 Administration&Audit
57/82
Slide #21-57
Pht hin cc hnh ng xm phm
Mc tiu: Xc nh xem hnh ng cbit l vi phm an ninh c xut hin khng?
Assume that action automatically violatespolicy
Policy may be implicit, not explicit
Used to look for known attacks
7/30/2019 06 Administration&Audit
58/82
Slide #21-58
Example
Land attack: Tn cng DOS da trn l hng TCP Consider 3-way handshake to initiate TCP connection
(next slide)
What happens if source, destination ports and addressesthe same? Host expects ACK(t+1), but gets ACK(s+1).
RFC ambiguous: p. 36 of RFC: send RST to terminate connection
p. 69 of RFC: reply with empty packet having currentsequence numbert+1 and ACK numbers+1but it receivespacket and ACK number is incorrect. So it repeats this system hangs or runs very slowly, depending on whetherinterrupts are disabled
7/30/2019 06 Administration&Audit
59/82
Slide #21-59
3-Way Handshake and Land
Normal:
1. srcseq =s, expects ACKs+1
2. destseq = t, expects ACKt+1;src gets ACKs+1
3. srcseq =s+1, destseq = t+1;dest gets ACKt+1
Land:
1. srcseq = destseq =s, expectsACKs+1
2. srcseq = destseq = t, expectsACKt+1 but gets ACKs+1
3. Never reached; recovery fromerror in 2 attempted
Source
Destination
SYN(s) ACK(s+1)
SYN(t)ACK(t+1)
7/30/2019 06 Administration&Audit
60/82
Slide #21-60
Pht hin
Nhn ra gi tin khi to ca tn cng Land c a chngun v ch trng nhau
Yu cu log:
source port number, IP address
destination port number, IP address
Yu cu kim sot: If source port number = destination port number and source IP
address = destination IP address, packet is part of a Land attack
7/30/2019 06 Administration&Audit
61/82
Slide #21-61
Cc k thut kim sot
Cc h thng s dng cc k thut khc nhauMost common is to log allevents by default,
allow system administrator to disable logging thatis unnecessary
Hai v d:
One audit system designed for a secure systemOne audit system designed for non-secure system
7/30/2019 06 Administration&Audit
62/82
Slide #21-62
Secure Systems
Cc k thut kim sot c tch hp vo h thnt khu thit k v thc thi
Chuyn gia an ninh h thng c th cu hnh hthng bo co v log: To report specific events To monitor accesses by a subject To monitor accesses to an object
c iu khin bi h thng con kim sot Irrelevant accesses, actions not logged
7/30/2019 06 Administration&Audit
63/82
Slide #21-63
Example 1: VAX VMM
c thit k thnh 1 h thng SX an ton Audit mechanism had to have minimal impact Audit mechanism had to be very reliable
Nhn ca h thng c phn lp Logging done where events of interest occur Each layer audits accesses to objects it controls
H thng con kim sot x l d liu log t nhn Audit subsystem manages system log Invoked by mechanisms in kernel
7/30/2019 06 Administration&Audit
64/82
Slide #21-64
H thng con kim sot caVAX
VMM Cc li gi tin trnh s cung cp d liu cho log
Identification of event, result
Auxiliary data depending on event
Callers name
H thng con s kim tra iu kin log If request matcher, data is logged
Criteria are subject or object named in audit table, andseverity level (derived from result)
Adds date and time, other information
7/30/2019 06 Administration&Audit
65/82
Slide #21-65
Cc vn khc
Mt s s kin lun lun c log Programmer can request event be logged Any attempt to violate policy
Protection violations, login failures logged when they occurrepeatedly
Use of covert channels also logged
Log y
Audit logging process signaled to archive log when logis 75% full If not possible, system stops
7/30/2019 06 Administration&Audit
66/82
Slide #21-66
Example 2: CMW
CMW - Compartmented Mode Workstation cthit k cho php x l cc cp an ninhkhc nhau
Auditing subsystem keeps table of auditable events
Entries indicate whether logging is turned on, what typeof logging to use
User level command chaudallows user to controlauditing and what is audited If changes affect subjects, objects currently being logged, the
logging completes and then the auditable events are changed
7/30/2019 06 Administration&Audit
67/82
Slide #21-67
CMW Process Control
Cc li gi h thng cho php tin trnhiu khin vic kim sot
audit_on turns logging on, names log filkeaudit_write validates log entry given asparameter, logs entry if logging for that entry isturned on
audit_suspendsuspends logging temporarilyaudit_resume resumes logging after suspensionaudit_offturns logging off for that process
7/30/2019 06 Administration&Audit
68/82
Slide #21-68
Li gi h thng
Khi tin trnh thc hin li gi h thng,nu kim sot c bt:
System call recordedFirst 3 parameters recorded (but pointers notfollowed)
Li gi audit_write:
If room in log, append new entryOtherwise halt system, discard new entry, or
disable event that caused logging
Continue to try to log other events
7/30/2019 06 Administration&Audit
69/82
Slide #21-69
CMW Auditing
Phn tch cc s kin c log: S dng tool(redux)
Chuyn i cc log nh phn sang dng c c Reduxcho php lc cc s kin theo:UsersObjectsSecurity levelsEvents
7/30/2019 06 Administration&Audit
70/82
Slide #21-70
Non-Secure Systems
C mt s kh nng log hn chLog accounting data, or data for non-security
purposes
Possibly limited security data like failed logins
H thng con kim sot v an ninh thngc thm sau khi h thng hon thin
May not be able to log all events, especially iflimited kernel modifications to support auditsubsystem
7/30/2019 06 Administration&Audit
71/82
Slide #21-71
Example: Basic Security Module
BSM l h thng tng cng an ninh choHH SunOS, Solaris
Logs composed of records made up of tokens Token contains information about event: user
identity, groups, file system information, network,
system call and result, etc. as appropriate
7/30/2019 06 Administration&Audit
72/82
Slide #21-72
More About Records
Bn ghi ch tham chiu ti cc s kin c kimsot
Kernel events: opening a file
Application events: failure to authenticate when logging in Nhm cc s kin kim sot thnh cc lp
Before log created: tell system what to generate records for After log created: defined classes control which records
given to analysis tools
7/30/2019 06 Administration&Audit
73/82
Slide #21-73
Example Record
Logs are binary; this is frompraudit
header,35,AUE_EXIT,Wed Sep 18 11:35:28 1991, + 570000 msec,process,bishop,root,root,daemon,1234,
return,Error 0,5
trailer,35
7/30/2019 06 Administration&Audit
74/82
Slide #21-74
Hin th thng tin kim sot
Mc tiu: Hin th thng tin t log di dng dhiu v d s dng
L do: Audit mechanisms may miss problems that auditors
will spot
Mechanisms may be unsophisticated or make invalidassumptions about log format or meaning
Logs usually not integrated; often different formats,syntax, etc.
7/30/2019 06 Administration&Audit
75/82
Slide #21-75
K thut hin th
Text display Does not indicate relationships between events
Hypertext display Indicates local relationships between events Does not indicate global relationships clearly
Relational database browsing DBMS performs correlations, so auditor need not know
in advance what associations are of interest
Preprocessing required, and may limit the associationsDBMS can make
7/30/2019 06 Administration&Audit
76/82
Slide #21-76
More Browsing Techniques
Replay Shows events occurring in order; if multiple logs,
intermingles entries
GraphingNodes are entities, edges relationships Often too cluttered to show everything, so graphing
selects subsets of events
Slicing Show minimum set of log events affecting object Focuses on local relationships, not global ones
7/30/2019 06 Administration&Audit
77/82
Slide #21-77
Example: Visual Audit Browser
Frame Visualizer Generates graphical representation of logs
Movie Maker
Generates sequence of graphs, each event creating a new graphsuitably modified
Hypertext Generator Produces page per user, page per modified file, summary and index
pages
Focused Audit Browser Enter node name, displays node, incident edges, and nodes at end
of edges
7/30/2019 06 Administration&Audit
78/82
Slide #21-78
Example Use
File changedUse focused audit browser
Changed file is initial focus Edges show which processes have altered file
Focus on suspicious process Iterate through nodes until method used to gain
access to system determined
Question: is masquerade occurring?Auditor knows audit UID of attacker
7/30/2019 06 Administration&Audit
79/82
Slide #21-79
Tracking Attacker
Use hypertext generator to get all audit recordswith that UID
Now examine them for irregular activity
Frame visualizer may help here
Once found, work forward to reconstruct activity
For non-technical people, use movie maker to
show what happened Helpful for law enforcement authorities especially!
7/30/2019 06 Administration&Audit
80/82
Slide #21-80
Example: MieLog
Computes counts of single words, word pairs Auditor defines threshold count MieLog colors data with counts higher than threshold
Display uses graphics and text together Tag appearance frequency area: colored based on
frequency (e.g., red is rare)
Time information area: bar graph showing number of
log entries in that period of time; click to get entries Outline of message area: outline of log messages,
colored to match tag appearance frequency area
Message in text area: displays log entry under study
7/30/2019 06 Administration&Audit
81/82
Slide #21-81
Example Use
Auditor notices unexpected gap in timeinformation area
No log entries during that time!?!?
Auditor focuses on log entries before, after gap Wants to know why logging turned off, then turned
back on
Color of words in entries helps auditor find similarentries elsewhere and reconstruct patterns
7/30/2019 06 Administration&Audit
82/82
Key Points
Logging is collection and recording; audit isanalysis
Need to have clear goals when designing an auditsystem
Auditing should be designed into system, notpatched into system after it is implemented
Browsing through logs helps auditors determinecompleteness of audit (and effectiveness of auditmechanisms!)