lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <442798.53194.qm@web36614.mail.mud.yahoo.com>
Date:	Thu, 7 Jun 2007 10:33:04 -0700 (PDT)
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Steve Grubb <sgrubb@...hat.com>, casey@...aufler-ca.com
Cc:	Jan Engelhardt <jengelh@...ux01.gwdg.de>,
	Miloslav Trmac <mitr@...hat.com>, dwmw2@...radead.org,
	linux-kernel@...r.kernel.org, Alan Cox <alan@...hat.com>,
	Alexander Viro <aviro@...hat.com>
Subject: Re: [PATCH] Audit: Add TTY input auditing


--- Steve Grubb <sgrubb@...hat.com> wrote:


> Ok, this is a sample set of requirements we are trying to meet:
> 
> Implement automated audit trails for all system components to reconstruct the
> 
> following events:
>   All actions taken by any individual with root or administrative privileges

My knee jerk response is "good luck with that". I hope you're not
planning a GUI, because tracing the mouse movements, clicks, and
window placement in order to identify what action the admin is taking
is going to be a without-a-net trick.

> If we do not get commands typed at a prompt, we have to audit by execve. 

I would suggest that you'll have to do that as well so that you can tell
the difference between typed actions like these:

# cat > /dev/null
badprogram --badthing --everyone
^D
#

# badprogram --badthing --everyone

where the same typed line is a Bad Thing in one case and completely
irrelevent in the other.

> Auditing execve for uid = 0 produces millions of events since that includes 
> daemons. If we get clever and restrict auditing to events for root uid and 
> auid >= 500, we still wind up with millions of events because of shell 
> scripts.

Yes. Your Linux system performs millions (yea, billions) of security
relevent actions in the time it takes you (well, me) to spell check an
lkml posting. Audit systems spew lots of data because there's lots of
data that is required to track who did what to whom.

> People in control of some of these security targets said to me that auditing 
> by execve cannot be the solution, because the audit trail becomes too big, 
> unwieldy, full of irrelavent events, and not easily analysed. So, that 
> approach does not work for people either.

OK. They're not willing to pay the price for the result they are asking for.

> Casey, so what approach would you take to meet the requirement?

If the requirement is that all human initiated administrative actions
be audited your only option is to seriously restrict the actions that
the human can perform by hand. This is usually accomplished by providing
an administration user interface facility as the admin shell. This shell
only invokes a tightly controlled set of commands, and audits their
parameters.

> > You have to log what happened.
> 
> Which can be done by auditing for execution of specific apps or watching 
> access to certain files. So, I don't see tty auditing as something that 
> replaces other auditing, it allows us to form a better picture of what 
> happened to the system.

Perhaps.
 
> > Logging what was requested is insufficient and logging what was
> > typed, which may or may not have resulted in an actual request is
> > not helpful to meeting security audit requirements.
> 
> I would disagree. Its helpful to complete the picture of what's happening on 
> the system.

As an adjunct to system level audit it might be helpful, but
it cannot stand on its own.


Casey Schaufler
casey@...aufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ