• No results found

Practical Security Event Auditing with FreeBSD

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Practical Security Event Auditing with FreeBSD"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

Practical Security Event Auditing with FreeBSD

Christian Brüffer

[email protected]

NYCBSDCon – New York City, USA

(2)

NYCBSDCon 2010 2

Outline

1. What / What for / Why

2. Format

3. Configuration and Operation

4. Processing Tools and Audit Pipes

5. Demonstration

6. Considerations and Caveats

(3)

What is Security Event Auditing

● Logging of security-relevant system

events

– Secure – Reliable

– Fine-grained – Configurable

(4)

NYCBSDCon 2010 4

Straightforward Uses

● Post-mortem analysis ● Intrusion Detection

● Live system monitoring ● Debugging

(5)

Creative Uses

● Audit and rsync as a poor man's cluster

file system

● From a German blog entry:

http://blog.elitecoderz.net/de/cluster

-filesystem-for-freebsd-gfs-ocfs2/2010/06/

● Watching audit trail for file system

(6)

NYCBSDCon 2010 6

Why?

“Detection is much more important than

prevention” - Bruce Schneier

● No system is 100% secure ● Accountability

(7)

Common Criteria and CAPP

● CAPP = Controlled Access Protection

Profile

● Defines functional requirements

● Security evaluation needed for certain

uses and users (e.g. US DoD)

● Audit implementation required for CAPP

(8)

NYCBSDCon 2010 8

FreeBSD Audit History

● Originally by McAfee for Apple's Mac OS X ● Relicensed to 3-clause BSD license

● Ported to FreeBSD by TrustedBSD project ● Experimental feature in FreeBSD 6.2

(9)

BSM – Basic Security Module

● Defined by Sun Microsystems ● Standard audit file format:

– Solaris / OpenSolaris – Mac OS X

– FreeBSD

● Binary format

(10)

NYCBSDCon 2010 10

BSM Record Format

header,98,11,OpenSSH login,0,Sat Nov 06 09:50:52 2010, + 559 msec

subject_ex,chris,chris,chris,chris,chris,1 083,1083,53331,192.168.56.1

test,successful login chris return,success,0 trailer,98 header,121,11,execve(2),0,Sat Nov 06 06:50:52 2010, + 588 msec exec arg,-tcsh path,/bin/tcsh attribute,555,root,wheel,61,30026,122312 subject,chris,chris,chris,chris,chris,1087 ,1083,53331,192.168.56.1 return,success,0 trailer,121 Header token 0..n Argument tokens Subject token Return token Trailer token

(11)

Configuration Files

● /etc/security/audit_event

– Event definitions and mapping to classes

● /etc/security/audit_class – Class definitions ● /etc/security/audit_control – Global configuration ● /etc/security/audit_user – Per-user configuration

(12)

NYCBSDCon 2010 12

(13)

Handling the Daemon

● No kernel re-compile necessary since 7.0

– # echo 'auditd_enable=”YES”' >> /etc/rc.conf – # /etc/rc.d/auditd start ● Shutdown – # /etc/rc.d/auditd stop or – # audit -t

(14)

NYCBSDCon 2010 14

Audit Trail Files

● Standard location /var/audit

Group audit allows trail access delegation ● File name format:

– starttime.endtime (time in UTC)

– 20101013181949.20101013183539

In some cases starttime.not_terminated

– File active, or auditd shut down improperly

(15)

OpenBSM

● User space part of FreeBSD audit

● Open source implementation of BSM

– API

– file format – basic tools

● BSD license ● Portable

(16)

NYCBSDCon 2010 16

OpenBSM Tools

● audit(8)

– Control utility for auditd

● auditd(8)

– Manages trail files

– Communicates with kernel by /dev/audit

● auditreduce(1)

– Returns selected records from a trail file

● praudit(1)

(17)

Audit Pipes

● tee(1) for audit stream

/dev/auditpipe → clonable special device ● Live system monitoring

# praudit /dev/auditpipe

● Reliability not guaranteed

– As opposed the trail files

(18)

NYCBSDCon 2010 18

(19)

Considerations

● Performance overhead

– more auditing → higher penalty

– essentially no overhead when disabled

● Space requirements

– dependent on configuration – system activity

(20)

NYCBSDCon 2010 20

Caveats

● Some subsystems do not generate audit

records yet (NFS, Packet Filters, …)

● No per-Jail audit trails

– Audit records go straight to the host system trail file

– “zonename” token not utilized yet

(21)

Documentation

● Handbook

http://www.freebsd.org/doc/en_US.ISO885

9-1/books/handbook/audit.html

● Manpages:

– auditreduce(1), praudit(1), libbsm(3), audit(4), auditpipe(4), audit_class(5), audit_control(5), audit_event(5),

(22)

NYCBSDCon 2010 22

3

rd

Party Software

● bsmGUI (http://bsmgui.sf.net/)

● BSM Analyzer (http://bsma.sf.net) ● BSMTrace (ports/security/bsmtrace) ● Splunk + BSM Audit log loader

● Snare + Snare Agent for Solaris

(23)

Google Summer of Code (1)

● Projects in 2007 and 2008:

– Distributed Audit Daemon (2007) by Alexey Mikhailov, mentor: bz@ – Audit Log Analysis Tool (2007)

by Dongmei Lui, mentor: rwatson@ – Auditing System Testing (2008)

(24)

NYCBSDCon 2010 24

Google Summer of Code (2)

● Projects in 2009 and 2010

– Application-Specific Audit Trails (2009) by Ilias Marinos, mentor rwatson@

– Log Conversion Tools to/from Linux (2009) by Satish Srinivasan, mentor sson@

– Audit Kernel Events (2010)

by Efstratios Karatzas, mentor rwatson – Distributed Audit Daemon (2010)

(25)

Summary

● Audit can be an important piece in a

security infrastructure

● API / file format compatible with Solaris

● BSM format → compatibility with existing

tools for free

● Tradeoff log detail ↔ performance and

(26)

NYCBSDCon 2010 26

(27)

Thanks...

...for your attention

...and to Robert Watson for lots of material for this talk

References

Download now ( PDF - 27 Page - 190.24 KB )

Related documents

Higher education as object for corporate and nation branding: Between equality and flagships

When comparing the most commonly used values at universities and university colleges in Norway and Sweden, the most striking result is the similarities between different types of

Creating and Using Databases for Android Applications

Android platform includes the popular open source SQLite database which has been used with great success as on-disk file format that allows the developer to handle data in a

Marketing. (online) Marketing online y el posicionamiento en buscadores.

Posibles técnicas marketing online en esta etapa del proceso de compra:..

Healthy Retail as a Strategy for Improving Food Security and the Built Environment in San Francisco.

In low-income neighborhoods without supermarkets, lack of healthy food access often is exacerbated by the saturation of small corner stores with to- bacco and unhealthy foods

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Treasury/IRS 37.009 Enrolled Agent and Enrolled Retirement Plan Agent Treasury/IRS 34.037 IRS Audit Trail and Security Records

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

• IRS 24.030 Customer Account Data Engine Individual Master Fil • IRS 24.046 Customer Account Data Engine Business Master File • IRS 34.037 Audit Trail and Security

Quest ChangeAuditor 5.1. For Windows File Servers. Events Reference

When Event Logging for File System is enabled in ChangeAuditor, Windows File Server events will also be written to a Windows event log, named Quest File Access Audit Event log.

Protecting and Auditing Active Directory with Quest Solutions

While ChangeAuditor provides real-time monitoring and reporting, Quest InTrust provides the security audit trail and security event management (SEM) for comprehensive auditing