Chapter 24: Auditing
advertisement
Application security: Auditing and logging • So far… – We have seen Application security issues: • Secure design principles • OS secure operations. • How to determine if an application is “trusted” – trusted OS. – Next: Auditing and logging – how applications can increase security by logging various actions. Slides PremMaterial Uppuluri mainly based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or Stallings. Slide #24-1 Where is auditing used in security? Logging and auditing are crucial – many of our actions on a computer are logged/audited for security purposes. Why? • Allow the description of the security state – E.g., Logging and auditing can determine if system enters unauthorized security state. • Can you think of an example? • Evaluate effectiveness of protection mechanisms – Determine which mechanisms are appropriate and working • E.g., Say, you have installed a new anti-virus software, how do you know if it is working correctly? – Deter attacks because of presence of log records. • E.g., some intrusion detection systems look at log files to see if some “strange” event has occurred. E.g., if Bob modifies a file he should not have access to, then this should be detected. • Or if you access H drive of another student (because of incorrect permissions) – t hat should be logged as well! Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-2 ©2002-2004 Matt Bishop In this lecture • We will answer these questions – What is auditing? – What does an audit system look like? – Example auditing mechanisms in Linux/Windows. Slides PremMaterial Uppuluri mainly based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or Stallings. Slide #24-3 What is Auditing? • Usually, “auditing” a system involves two steps. – Logging • Recording events or statistics to provide information about system use and performance. – Auditing • Analysis of log records to present information about the system in a clear, understandable manner Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-4 ©2002-2004 Matt Bishop Some issues to consider when designing an audit system. Most important question: What should a software application log? E.g., if you are developing a Java program, what would you log? – Depends on what you are looking for. Identify what information is security critical. • Examples: – – Secure operations: E.g., if a user logs in as root – log this as root is a powerful privilege and we may want to keep track of what a root does. Violations of a policy: record at least those events that will show such violations. E.g., if the policy states that only Bob can open a file for reading, but we see that Mary has opened it, then log that event. – Depends on amount of disk space. • If you log each and every method call in a Java program, then it will end up consuming too much disk space. Too much of “junk” information will end up hiding crucial information. Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-5 ©2002-2004 Matt Bishop Class exercise: What would you log: Logging Bell-LaPadula model. • We have studied the Bell-LaPadula model: – (remember confidentiality in military environment). • Simple security condition and *-property – Simple: S reads O C(S) ≥ C(O) (i.e., a person with clearance C(S) can only read data at clearance less than or equal to that person). – *-Property (Write policy) S writes O C(S) ≤ C(O) (a person with clearance of C(S) can only write into files at a higher clearance. E.g., a person with SECRET clearance can only write into files of TOP SECRET). • Assume that a software implements this model (E.g., Oracle DBMS). Now, what should this software log, such that the security expert can check if the model is being correctly implemented or if the software is allowing certain illegal actions. Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-6 ©2002-2004 Matt Bishop Some issues with the Logger • Loggers should be configurable – so that an administrator can decide what policies to apply. – Some configuration parameters: – Type, – quantity of information recorded controlled by system or program configuration parameters – May be human readable or not • If not, usually viewing tools supplied – Amount of information logged Depends on Space available Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-7 ©2002-2004 Matt Bishop Analyzer • Analyzes one or more logs – Logs may come from multiple systems, or a single system – May lead to changes in logging – May lead to a report of an event • E.g., – Web Log explorer (http://www.exacttrend.com/) – Windows installer installation: http://msdn.microsoft.com/enus/library/aa372811(v=vs.85).aspx Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-8 ©2002-2004 Matt Bishop Examples • Using swatch to notify of telnets /telnet/&!/localhost/&!/*.site.com/ mail staff • Query set overlap control in databases – Prevents response from being given if too much overlap occurs • Three failed logins in a row disable user account – Notifier disables account, notifies sysadmin Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-9 ©2002-2004 Matt Bishop Example: Logging in Windows based OSes • Different logs for different types of events – System event logs record system crashes, component failures, and other system events – Application event logs record events that applications request be recorded – Security event log records security-critical events such as logging in and out, system file accesses, and other events • Logs are binary; use event viewer to see them – Goto: Start Control panel (only in XP and before) Administrative Tools Computer Management Event Viewer – From XP+, Microsoft offers “audit policies” that can be customized for a group. – E.g., http://technet.microsoft.com/enus/library/cc771395(WS.10).aspx Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-10 ©2002-2004 Matt Bishop Example: Windows based OSes • Logs are binary; use event viewer to see them – Goto: Start Control panel (only in XP and before) Administrative Tools Computer Management Event Viewer – From XP+, Microsoft offers “audit policies” that can be customized for a group. – E.g., http://technet.microsoft.com/enus/library/cc771395(WS.10).aspx • If log full, can have system shut down, logging disabled, or logs overwritten (this way, we don’t run the risk of the disk becoming full - thus causing a denial of service attack). Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-11 ©2002-2004 Matt Bishop Windows NT Sample Entry Date: Time: Type: User: Computer: 2/12/2000 Source: Security 13:03 Category: Detailed Tracking Success EventID: 592 WINDSOR\Administrator WINDSOR Description: A new process has been created: New Process ID: 2216594592 Image File Name: \Program Files\Internet Explorer\IEXPLORE.EXE Creator Process ID: 2217918496 User Name: Administrator FDomain: WINDSOR Logon ID: (0x0,0x14B4c4) [would be in graphical format] Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-12 ©2002-2004 Matt Bishop Audit logs in Linux • Audit in Linux. – Usually in the /var/log directory. • Each file pertains to different logs. – Some key logs: • /var/account/acct (process level accounting) similar to application level accounting in Windows • Utmp: each user currently logged in. • Wtmp:when a user logged in. • Messages: system level log Chapter 21, Practical UNIX and Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or© Stallings. June 1,Material 2004 mainly Slide #24-13 rd Internet Security 3 Edition. Specifying what to log • In UNIX, what to log can be specified by editing the /etc/syslog.conf file. – Syslogd facilities: • Logger: program can be used by scripts. • UNIX socket: used to connect and send log information. • Log files Chapter 21, Practical UNIX and Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or© Stallings. June 1,Material 2004 mainly Slide #24-14 rd Internet Security 3 Edition. Syslog messages • Any log message contains: – – – – – – Time message generated Syslog priority Name of the program Process ID Computer (IP etc.) Text. • E.g., Aug 14 08: 02: 12 <mail.info> r2 postfix/local[81859]: 80AD8E44308: to=<jhalonen@ex.com>, relay=local, delay=1, status=bounced (unknown user: "jhalonen") Chapter 21, Practical UNIX and Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or© Stallings. June 1,Material 2004 mainly Slide #24-15 rd Internet Security 3 Edition. Example of syslog.conf file • *. err; kern. debug;auth.notice /dev/console daemon, auth. notice /var/log/messages lpr. * /var/log/lpd-errsauth. * root,nosmisauth. * @prep.ai.mit.edu *. emerg * *. alert |dectalker mark. * /dev/console The first part is: message selector – what type of messages to log. Second part: how to log. Message selectors: two parts: facility and priority. E.g., kern.debug (set all debug messages generated by the kernel. Chapter 21, Practical UNIX and Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or© Stallings. June 1,Material 2004 mainly Slide #24-16 rd Internet Security 3 Edition. Example of syslog.conf file • Action can be one of the following • • Log to a file or a device Send a message to the user – • Send a message to all the users. – • E.g., * Pipe the message to a program – • E.g., root, prem E.g., |dectalker Send the message to syslog on another rhost. – E.g., @prep.ai.mit.edu Chapter 21, Practical UNIX and Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or© Stallings. June 1,Material 2004 mainly Slide #24-17 rd Internet Security 3 Edition. Example of syslog.conf file • Explanation of the log file: – – *.err;kerne.debug;auth.notice: all error messages, all kernel debug messages and all notice message – print on console. Daemon, auth.notice /var/log/messages: • – • • All notice messages to be appended to /var/log/messages lpr.* /var/log/lpd-errs append to var/log/lpd-errs Example of a log file monitor: swatch (next homework.) http://sourceforge.net/projects/swatch/ Chapter 21, Practical UNIX and Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani or© Stallings. June 1,Material 2004 mainly Slide #24-18 rd Internet Security 3 Edition. Key Points • Logging is collection and recording; audit is analysis • Need to have clear goals when designing an audit system • Auditing should be designed into system, not patched into system after it is implemented • Browsing through logs helps auditors determine completeness of audit (and effectiveness of audit mechanisms!) Security: Art and Science Slides Prem Uppuluri based onderived material from sources. ITECby 245. fromvarious Pfleeger; Daswani orComputer Stallings. June 1,Material 2004 mainly Slide #24-19 ©2002-2004 Matt Bishop
