chapter15_auditing.pdf

(1)

Computer Security:

Principles and Practice

First Edition First Edition

by William Stallings and Lawrie Brown by William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown

(2)

Agenda



Announcements

 Tomorrow April 25Tomorrow April 25thth 10 AM – 6Sigma 10 AM – 6Sigma



Quiz 3

 Multiple choiceMultiple choice

 Short answersShort answers



Chapter 15: Security Auditing



Break



Chapter 16: IT Security Management and

Risk Assessment

(3)

Intro to Security Auditing



Provides a level of assurance of proper

operation with respect to security



Generate data that can be used after an

attack for analysis



Reveals inadequacies in security services



Provides data for defining anomalous

behavior



Maintains a record useful for computer

forensics

(4)

Security Audit

 _“_“_{an independent review and examination of a}_{an independent review and examination of a} system's records and activities to determine the

system's records and activities to determine the

adequacy of system controls, ensure compliance

with established security policy and procedures,

detect breaches in security services, and

recommend any changes that are indicated for

countermeasures. The basic audit objective is to

establish accountability for system entities that

initiate or participate in security-relevant events

and actions. Thus, means are needed to generate

and record a security audit trail and to review and

analyze the audit trail to discover and investigate

attacks and security compromises.”

(5)

Security Audit Trail

“

a chronological record of system activities

that is suffi cient to enable the

reconstruction and examination of the

sequence of environments and activities

surrounding or leading to an operation,

procedure, or event in a security-relevant

transaction from inception to fi nal results”

(6)

Security Audit Architecture

(7)

(8)

(9)

Event Definition

 must define what are auditable events_{must define what are auditable events}  Common Criteria suggests:_{Common Criteria suggests:}

 _{introduction of objects}_{introduction of objects}  _{deletion of objects}_{deletion of objects}

 _{distribution or revocation of access rights or capabilities}_{distribution or revocation of access rights or capabilities}  _{changes to subject or object security attributes}_{changes to subject or object security attributes}

 _{policy checks performed by the security software}_{policy checks performed by the security software}  _{use of access rights to bypass a policy check}_{use of access rights to bypass a policy check}

(10)

Other Audit Requirements



event detection hooks in software and

monitoring software to capture activity



event recording function with secure

storage



event and audit trail analysis software,

tools, and interfaces

(11)

Implementation Requirements

1.

1.agree on requirements managementagree on requirements management

2.

2.scope of checks agreed and controlledscope of checks agreed and controlled

3.

3.checks limited to read-only access to s/w & datachecks limited to read-only access to s/w & data

4.

4.other access only for isolated copies of system files, other access only for isolated copies of system files,

then erased or given appropriate protection then erased or given appropriate protection

5.

5.resources for performing the checks should be resources for performing the checks should be

explicitly identified and made available explicitly identified and made available

6.

6.identify / agreed on special requirements identify / agreed on special requirements

7.

7.all access should be monitored and logged all access should be monitored and logged

8.

8.document procedures,requirements,responsibilitiesdocument procedures,requirements,responsibilities

9.

(12)

What to Collect

 _{issue of amount of data generated}_{issue of amount of data generated}

 tradeoff quantity vs efficiencytradeoff quantity vs efficiency

 data items captured may include:_{data items captured may include:}

 auditing software useauditing software use

 use of system security mechanismsuse of system security mechanisms  events from IDS and firewall systemsevents from IDS and firewall systems  system management / operation eventssystem management / operation events  operating system access (system calls)operating system access (system calls)  access to selected applicationsaccess to selected applications

(13)

System-Level Audit Trails

 _{useful to categorize audit trails}_{useful to categorize audit trails}

 system-level audit trails:_{system-level audit trails:}

 are generally used to monitor and optimize system are generally used to monitor and optimize system

performance performance

 can also serve a security audit functioncan also serve a security audit function

 captures logins, device use, O/S functions, e.g.captures logins, device use, O/S functions, e.g.

Jan 27 17:18:38 host1 login: ROOT LOGIN console

Jan 27 17:19:37 host1 reboot: rebooted by root

Jan 28 09:46:53 host1 su: 'su root' succeeded for

user1 on /dev/ttyp0

Jan 28 09:47:35 host1 shutdown: reboot by user1

(14)

Application-Level Audit Trails

 to detect security violations within an application_{to detect security violations within an application}  to detect flaws in application's system interaction_{to detect flaws in application's system interaction}  for critical / sensitive applications, e.g. email, DB_{for critical / sensitive applications, e.g. email, DB}  _{record appropriate security related details, e.g.}_{record appropriate security related details, e.g.}

Apr 911:20:22 host1 AA06370: from=<user2@host2>,

size=3355, class=0

Apr 911:20:23 host1 AA06370: to=<user1@host1>,

delay=00:00:02,stat=Sent

Apr 911:59:51 host1 AA06436: from=<user4@host3>,

size=1424, class=0

Apr 911:59:52 host1 AA06436: to=<user1@host1>,

delay=00:00:02, stat=Sent

(15)

User-Level Audit Trails



trace activity of individual users over time

 to hold user accountable for actions takento hold user accountable for actions taken

 as input to an analysis program that attempts as input to an analysis program that attempts

to define normal versus anomalous behavior to define normal versus anomalous behavior



may capture

 user interactions with systemuser interactions with system

• e.g. commands issued_{e.g. commands issued}

 identification and authentication attemptsidentification and authentication attempts

 files and resources accessed. files and resources accessed.

(16)

Physical-Level Audit Trails



generated by physical access controls

 e.g. card-key systems, alarm systemse.g. card-key systems, alarm systems



sent to central host for analysis / storage



can log

 date/time/location/user of access attemptdate/time/location/user of access attempt

 both valid and invalid access attemptsboth valid and invalid access attempts

 attempts to change access privilegesattempts to change access privileges

(17)

Audit Trail Storage Alternatives

 _{read/write file on host}_{read/write file on host}

 easy, least resource use, fast accesseasy, least resource use, fast access  vulnerable to attack by intrudervulnerable to attack by intruder

 _{write-once device (e.g. CD/DVD-ROM)}_{write-once device (e.g. CD/DVD-ROM)}

 more secure but less convenientmore secure but less convenient

 need media supply and have delayed accessneed media supply and have delayed access

 _{write-only device (e.g. printer)}_{write-only device (e.g. printer)}

 paper-trail but impractical for analysispaper-trail but impractical for analysis

 must protect both integrity and confidentiality_{must protect both integrity and confidentiality}

(18)

Implementing Logging



foundation of security auditing facility is

the initial capture of the audit data



software must include hooks (capture

points) that trigger data collection and

storage as preselected events occur



operating system / application dependent

 system-level logging can use existing meanssystem-level logging can use existing means

(19)

Windows Event Log



each event an entity that describes some

interesting occurrence and

 each event record contains:each event record contains:

• numeric id, set of attributes, optional user data_{numeric id, set of attributes, optional user data}

 presented as XML or binary datapresented as XML or binary data



have three types of event logs:

 system - system related apps & driverssystem - system related apps & drivers

 application - user-level appsapplication - user-level apps

(20)

Windows Event Log Example

 _{Event Type:}_{Event Type:} _{Success Audit}_{Success Audit}  _{Event Source:}_{Event Source:} _{Security Event}_{Security Event}

 _Category:_Category: ₍₁₎₍₁₎

 _{Event ID:}_{Event ID:} ₅₁₇₅₁₇

 _Date:_Date: _3/6/2006_3/6/2006

 _Time:_Time: _{2:56:40 PM}_{2:56:40 PM}

 _User:_User: _{NT AUTHORITY\SYSTEM}_{NT AUTHORITY\SYSTEM}  _Computer:_Computer: _KENT_KENT

 _Description:_Description: _{The audit log was cleared}_{The audit log was cleared}  _{Primary User Name:}_{Primary User Name:} _SYSTEM_SYSTEM

 _{Primary Domain:}_{Primary Domain:} _{NT AUTHORITY}_{NT AUTHORITY}  _{Primary Logon ID:}_{Primary Logon ID:} _(0x0,0x3F7)_(0x0,0x3F7)  _{Client User Name:}_{Client User Name:} _userk_userk

(21)

Windows Event Categories

 _{account logon events}_{account logon events}

 account management_{account management}

 directory service access_{directory service access}

 logon events_{logon events}  _{object access}_{object access}

 _{policy changes}_{policy changes}

 _{privilege use}_{privilege use}

 process tracking_{process tracking}

(22)

UNIX Syslog



UNIX's general-purpose logging

mechanism

 found on all UNIX / Linux variantsfound on all UNIX / Linux variants

 but with variants in facility and log formatbut with variants in facility and log format



elements:

 syslog() APIsyslog() API

 logger command utilitylogger command utility

 /etc/syslog.conf configuration file/etc/syslog.conf configuration file

(23)

Syslog Service



basic service provides:

 a means of capturing relevant eventsa means of capturing relevant events

 a storage facilitya storage facility

 a protocol for transmitting syslog messages a protocol for transmitting syslog messages

from other hosts to a central syslog server from other hosts to a central syslog server



extra add-on features may include:

 robust filtering, log analysis, event response, robust filtering, log analysis, event response,

alternative message formats,

alternative message formats, log file log file encryption,

(24)

Syslog Protocol



a transport allowing hosts to send IP event

notification messages to syslog servers

 provides a very general message formatprovides a very general message format

 allowing processes / apps to use suitable allowing processes / apps to use suitable

conventions for their logged events conventions for their logged events



common BSD (RFC3164) version has:

 PRI - facilities / severity codePRI - facilities / severity code

 header - timestamp & hostname/IP addressheader - timestamp & hostname/IP address

(25)

Syslog Examples

Mar 1 06:25:43 server1 sshd[23170]: Accepted Mar 1 06:25:43 server1 sshd[23170]: Accepted

publickey for server2 from 172.30.128.115 port publickey for server2 from 172.30.128.115 port 21011 ssh2

21011 ssh2

Mar 1 07:16:42 server1 sshd[9326]: Accepted password Mar 1 07:16:42 server1 sshd[9326]: Accepted password

for murugiah from 10.20.30.108 port 1070 ssh2 for murugiah from 10.20.30.108 port 1070 ssh2

Mar 1 07:16:53 server1 sshd[22938]: reverse mapping Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!

- POSSIBLE BREAKIN ATTEMPT!

Mar 1 07:26:28 server1 sshd[22572]: Accepted Mar 1 07:26:28 server1 sshd[22572]: Accepted

publickey for server2 from 172.30.128.115 port publickey for server2 from 172.30.128.115 port 30606 ssh2

30606 ssh2

Mar 1 07:28:33 server1 su: BAD SU kkent to root on / Mar 1 07:28:33 server1 su: BAD SU kkent to root on /

dev/ttyp2 dev/ttyp2

Mar 1 07:28:41 server1 su: kkent to root on Mar 1 07:28:41 server1 su: kkent to root on

(26)

Syslog Facility and Severity



facility identifies application / system

component that generates the message:

 user kern mail daemon auth lpr news uucp user kern mail daemon auth lpr news uucp

cron local0-7 mark cron local0-7 mark



severity (message level) indicates the

relative severity of the message

 can be used for some rudimentary filteringcan be used for some rudimentary filtering

(27)

Logging at Application Level

 privileged applications have security issues_{privileged applications have security issues}

 which system/user-level audit data may not seewhich system/user-level audit data may not see  a large percentage of reported vulnerabilitiesa large percentage of reported vulnerabilities

 e.g. failure to adequately check input data, application e.g. failure to adequately check input data, application

logic errors logic errors

 _{hence need to capture detailed behavior}_{hence need to capture detailed behavior}

 applications can be written to create audit data_{applications can be written to create audit data}  if not done, consider two approaches to auditing:_{if not done, consider two approaches to auditing:}

(28)

Interposable

(29)

(30)

Audit Trail Analysis



analysis programs/procedures vary widely

 cf. NIST SP 800-92cf. NIST SP 800-92



must understand context of log entries

 relevant info in same / other logs, configrelevant info in same / other logs, config

 possibility of unreliable entriespossibility of unreliable entries



audit file formats mix of plain text / codes

 hence must decipher manually / automaticallyhence must decipher manually / automatically



ideally regularly review entries to gain

understanding of baseline

(31)

Types of Audit Trail Analysis



audit trails can be used in multiple ways



this depends in part on when done



possibilities include:

 audit trail review after an eventaudit trail review after an event

• _{triggered by event to diagnose cause & remediate}_{triggered by event to diagnose cause & remediate}

 periodic review of audit trail dataperiodic review of audit trail data

• review bulk data to identify problems & behavior_{review bulk data to identify problems & behavior}

 real-time audit analysisreal-time audit analysis

(32)

Audit Review



audit review capability provides admin with

information from selected audit records

 actions of one or more usersactions of one or more users

 actions on a specific object or resourceactions on a specific object or resource

 all or a specified set of audited exceptionsall or a specified set of audited exceptions

 actions on a specific system / security attributeactions on a specific system / security attribute

(33)

Approaches to Data Analysis



basic alerting

 indicate interesting type of event has occurredindicate interesting type of event has occurred



baselining

 define normal vs unusual events / patternsdefine normal vs unusual events / patterns

 compare with new data to detect changescompare with new data to detect changes



windowing

 of events within a given set of parametersof events within a given set of parameters



correlation

(34)

Integrated Approaches

 volume of audit data mean manual analysis and _{volume of audit data mean manual analysis and}

baselining is impractical baselining is impractical

 _{need a Security Information and Event}_{need a Security Information and Event}

Management (SIEM) system Management (SIEM) system

 a centralized logging and analysis packagea centralized logging and analysis package  agentless or agent-basedagentless or agent-based

 normalizes a variety of log formatsnormalizes a variety of log formats  analyzes combined dataanalyzes combined data

(35)

Example: Cisco MARS



example of SIEM product



support a wide variety of systems



agentless with central dedicated server



wide array of analysis packages



an effective GUI



server collects, parses, normalizes,

correlates and assesses events to then

check for false positives, vulnerabilities,

and profiling

(36)

Summary



introduced need for security auditing



audit model, functions, requirements



security audit trails



implementing logging



audit trail analysis