SlideShare a Scribd company logo

Auditing.ppt

Download as PPT, PDF
S
ssuser45a8a6

RACF Auditing

Technology
1 of 87
Chapter 21 in “Introduction to Computer Security” System Auditing
Slide 2 Chapter 21: Auditing Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms Examples: NFSv2, LAFS
Slide 3 What is Auditing? Logging Recording events or statistics to provide information about system use and performance Auditing Analysis of log records to present information about the system in a clear, understandable manner
Slide 4 Uses Describe security state Determine if system enters unauthorized state Evaluate effectiveness of protection mechanisms Determine which mechanisms are appropriate and working Deter attacks because of presence of record
Slide 5 Problems What do you log? Hint: looking for violations of a policy, so record at least what will show such violations What do you audit? Need not audit everything Key: what is the policy involved?
Slide 6 What should be audited Requires a knowledge of the security policy of the system What attempts to violate that policy involve How such attempts can be detected
Slide 7 What should be logged What commands must an attacker use to violate the security policy What system calls must be made Who must issue the commands or system calls and in what order, what objects must be altered
Slide 8 Audit System Structure Logger Records information, usually controlled by parameters Analyzer Analyzes logged information looking for something Notifier Reports results of analysis
Slide 9 Logger Type, quantity of information recorded controlled by system or program configuration parameters May be human readable or not If not, usually viewing tools supplied
Slide 10 Logger -- Example: RACF Security enhancement package for IBM’s MVS operating system and VM environment. Logs failed access attempts, Use of privilege to change security levels, (if desired) RACF interactions with users if a user attempt to modify it in any way, a log entry will be made http://www- 03.ibm.com/servers/eserver/zseries/zos/racf/shock/topics. html View events with LISTUSERS commands
Slide 11 Logger -- RACF: Sample Entry USER=EW125004 NAME=S.J.TURNER OWNER=SECADM CREATED=88.004 DEFAULT-GROUP=HUMRES PASSDATE=88.004 PASS-INTERVAL=30 ATTRIBUTES=ADSP REVOKE DATE=NONE RESUME-DATE=NONE LAST-ACCESS=88.020/14:15:10 CLASS AUTHORIZATIONS=NONE NO-INSTALLATION-DATA NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) -------------------------------- ANYDAY ANYTIME GROUP=HUMRES AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE=88.004 CONNECTS= 15 UACC=READ LAST-CONNECT=88.018/16:45:06 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=PERSNL AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE:88.004 CONNECTS= 25 UACC=READ LAST-CONNECT=88.020/14:15:10 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE SECURITY-LEVEL=NONE SPECIFIED CATEGORY AUTHORIZATION NONE SPECIFIED
Slide 12 Logger -- Example: Windows NT Different logs for different types of events System event logs record system crashes, component failures, and other system events Application event logs record events that applications request be recorded Security event log records security-critical events such as logging in and out, system file accesses, and other events Logs are binary; use event viewer to see them If log full, can have system shut down, logging disabled, or logs overwritten
Slide 13 Logger -- Windows NT Sample Entry Date: 2/12/2000 Source: Security Time: 13:03 Category: Detailed Tracking Type: Success EventID: 592 User: WINDSORAdministrator Computer: WINDSOR Description: A new process has been created: New Process ID: 2216594592 Image File Name: Program FilesInternet ExplorerIEXPLORE.EXE Creator Process ID: 2217918496 User Name: Administrator FDomain: WINDSOR Logon ID: (0x0,0x14B4c4)
Slide 14 Analyzer Analyzes one or more logs Logs may come from multiple systems, or a single system May lead to changes in logging May lead to a report of an event
Slide 15 Analyzer -- Examples Suppose a system administrator wants to list all systems from which users have connected using the rlogin or telnet program, excluding systems at the site. Use swatch patterns to match the lines generated by these remote connections. /telnet/&!/localhost/&!/*.site.com/ /telnet/&!/localhost/&!/*.site.com/ This line matches all log file entries containing the word “rlogin” and not containing either localhost or any string ending in “.site.com” – the local host domain. Swatch tool: http://www.unix.org.ua/orelly/networking/puis/ch10_06.htm
Slide 16 Analyzer -- Examples A database query control mechanism Contains both a logger and a analyzer User prior queries to determine whether to answer current query If too much overlap between current query and past queries, do not answer
Slide 17 Analyzer -- Examples Intrusion detection analysis engine (director) Takes data from sensors and determines if an intrusion is occurring Analyze log records for unexpected activity Analyze log records for known activity to be an attempt to compromise the system
Slide 18 Notifier Informs analyst, other entities of results of analysis May reconfigure logging and/or analysis on basis of results
Slide 19 Notifier -- Examples Using swatch to notify of telnets /telnet/&!/localhost/&!/*.site.com/mail staff /rlogin/&!/localhost/&!/*.site.com/mail staff Query set overlap control in databases Prevents response from being given if too much overlap occurs Reduce the union of all previous query set sizes to less than r Three failed logins in a row disable user account Notifier disables account, notifies sysadmin Record each attempt, check the number of consecutive failed login attempts, invoke the notifier.
Slide 20 Designing an Audit System Essential component of security mechanisms Goals determine what is logged Idea: auditors want to detect violations of policy, which provides a set of constraints that the set of possible actions must satisfy So, audit functions that may violate the constraints Constraint pi : action  condition Require action be true before any valid conclusion about the condition can be deduced. Satisfaction of constraint  result is irrelevant Dissatisfaction of constraint  security violation
Slide 21 Example: Bell-LaPadula Simple security condition and *-property S reads O  L(S) ≥ L(O) S writes O  L(S) ≤ L(O) http://courses.cs.vt.edu/~cs5204/fall99/protection/harsh/ To check for violations, on each read and write, must log L(S), L(O), action (read, write), and result (success, failure) What is illegal state? What to audit?
Slide 22 Implementation Issues Show non-security or find violations? Security violation, the changes (necessary) Requires logging initial state Defining violations, Bell-LaPadula Model asserted specific type of data to be recorded during a “write” Potential Possibility? Multiple names for one object Logging goes by object and not name Representations can affect this (if you read raw disks, you’re reading files; can your auditing system determine which file?) Unix two representation: File system and low level disk blocks Unix systems generally cannot log all accesses to a given file, no log at disk block level.
Slide 23 Syntactic Issues Data that is logged may be ambiguous BSM: two optional text fields followed by two mandatory text fields If three fields, which of the optional fields is omitted? Solution: use grammar to ensure well-defined syntax of log files
Slide 24 Example entry : date host prog [ bad ] user [ “from” host ] “to” user “on” tty date : daytime host : string prog : string “:” bad : “FAILED” user : string tty : “/dev/” string Log file entry format defined unambiguously Audit mechanism could scan, interpret entries without confusion
Slide 25 More Syntactic Issues Context Unknown user uses anonymous ftp to retrieve file “/etc/passwd” Logged as such Problem: which /etc/passwd file? One in system /etc directory One in anonymous ftp directory /var/ftp/etc, and as ftp thinks /var/ftp is the root directory, /etc/passwd refers to /var/ftp/etc/passwd
Slide 26 Log Sanitization (confidentiality and privacy) U set of users, P policy defining set of information C(U) that U cannot see; log sanitized when all information in C(U) deleted from log Two types of P C(U) can’t leave site People inside site are trusted and information not sensitive to them Prevent indication of proprietary projects, release of IP of machines containing sensitive info C(U) can’t leave system People inside site not trusted or (more commonly) information sensitive to them Prevent the admin from spying on users Privacy consideration, only when … Don’t log this sensitive information
Slide 27 Logging Organization Top prevents information from leaving site Users’ privacy not protected from system administrators, other administrative personnel Bottom prevents information from leaving system Data simply not recorded, or data scrambled before recording Could use cryptography to protect the data and allow for reconstruction Logging system Log Users Sanitizer Logging system Log Users Sanitizer
Slide 28 Reconstruction Anonymizing sanitizer cannot be undone No way to recover data from this Pseudonymizing sanitizer can be undone Original log can be reconstructed Importance Suppose security analysis requires access to information that was sanitized?
Slide 29 Issue Key: sanitization must preserve properties needed for security analysis If new properties added (because analysis changes), may have to resanitize information This requires pseudonymous sanitization or the original log
Slide 30 Example Company wants to keep its IP addresses secret, but wants a consultant to analyze logs for an address scanning attack Connections to port 25 on IP addresses 10.163.5.10, 10.163.5.11, 10.163.5.12, 10.163.5.13, 10.163.5.14, 10.163.5.15 Sanitize with random IP addresses Cannot see sweep through consecutive IP addresses Sanitize with sequential IP addresses Can see sweep through consecutive IP addresses
Slide 31 Generation of Pseudonyms 1. Devise set of pseudonyms to replace sensitive information • Replace data with pseudonyms • Maintain table mapping pseudonyms to data 2. Use random key to encipher sensitive datum and use secret sharing scheme to share key • Used when insiders cannot see unsanitized data, but outsiders (law enforcement) need to • Requires t out of n people to read data
Slide 32 Application Logging Applications logs made by applications Applications control what is logged Typically use high-level abstractions such as: su: bishop to root on /dev/ttyp0 Does not include detailed, system call level information such as results, parameters, etc.
Slide 33 System Logging Log system events such as kernel actions Typically use low-level events 3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8) 3876 ktrace NAMI "/usr/bin/su" 3876 ktrace NAMI "/usr/libexec/ld-elf.so.1" 3876 su RET xecve 0 3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0) 3876 su RET __sysctl 0 3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0) 3876 su RET mmap 671473664/0x2805e000 3876 su CALL geteuid 3876 su RET geteuid 0 Does not include high-level abstractions such as loading libraries (as above)
Slide 34 Contrast Differ in focus Application logging focuses on application events, like failure to supply proper password, and the broad operation (what was the reason for the access attempt?) System logging focuses on system events, like memory mapping or file accesses, and the underlying causes (why did access fail?) System logs usually much bigger than application logs Can do both, try to correlate them
Slide 35 Design A posteriori design Need to design auditing mechanism for system not built with security in mind Goal of auditing Detect any violation of a stated policy Focus is on policy and actions designed to violate policy; specific actions may not be known Detect actions known to be part of an attempt to breach security Focus on specific actions that have been determined to indicate attacks
Slide 36 Detect Violations of Known Policy Goal: does system enter a disallowed state? Two forms State-based auditing Look at current state of system Transition-based auditing Look at actions that transition system from one state to another
Slide 37 State-Based Auditing Log information about state and determine if state allowed Assumption: you can get a snapshot of system state Snapshot needs to be consistent
Slide 38 Example File system auditing tools Thought of as analyzing single state (snapshot) In reality, analyze many slices of different state unless file system quiescent Potential problem: if test at end depends on result of test at beginning, relevant parts of system state may have changed between the first test and the last Classic TOCTTOU flaw (time of check to time of use)
Slide 39 Transition-Based Auditing Log information about action, and examine current state and proposed transition to determine if new state would be disallowed Note: just analyzing the transition may not be enough; you may need the initial state Tend to use this when specific transitions always require analysis (for example, change of privilege)
Slide 40 Example TCP access control mechanism intercepts TCP connections and checks against a list of connections to be blocked (hosts.deny file) Obtains IP address of source of connection Logs IP address, port, and result (allowed/blocked) in log file Purely transition-based (current state not analyzed at all)
Slide 41 Example American Online’s instant messaging system allows a user to sign on from at most one computer at a time. Mixture of state-based and transition-based auditing Examine the transtion (sign-on) Current state (whether signed on already) Report, block
Slide 42 Detect Known Violations of Policy Goal: does a specific action and/or state that is known to violate security policy occur? Assume that action automatically violates policy Policy may be implicit, not explicit Used to look for known attacks
Slide 43 Example Land attack Consider 3-way handshake to initiate TCP connection (next slide) What happens if source, destination ports and addresses the same? Host expects ACK(t+1), but gets ACK(s+1). RFC ambiguous: p. 36 of RFC: send reset (RST) to terminate connection p. 69 of RFC: reply with empty packet having current sequence number t+1 and ACK number s+1—but it receives packet and ACK number is incorrect. So it repeats this … system hangs or runs very slowly, depending on whether interrupts are disabled
Slide 44 3-Way Handshake and Land Normal: 1. srcseq = s, expects ACK s+1 2. destseq = t, expects ACK t+1; src gets ACK s+1 3. srcseq = s+1, destseq = t+1; dest gets ACK t+1 Land: 1. srcseq = destseq = s, expects ACK s+1 2. srcseq = destseq = t, expects ACK t+1 but gets ACK s+1 3. Never reached; recovery from error in 2 attempted Source Destination SYN(s) ACK(s+1) SYN(t) ACK(t+1)
Slide 45 Detection Must spot initial Land packet with source, destination addresses the same Logging requirement: source port number, IP address destination port number, IP address Auditing requirement: If source port number = destination port number and source IP address = destination IP address, packet is part of a Land attack
Slide 46
Slide 47 Auditing Mechanisms Systems use different mechanisms Most common is to log all events by default, allow system administrator to disable logging that is unnecessary Two examples One audit system designed for a secure system One audit system designed for non-secure system
Slide 48 Secure Systems Auditing mechanisms integrated into system design and implementation Security officer can configure reporting and logging: To report specific events To monitor accesses by a subject To monitor accesses to an object Controlled at audit subsystem Irrelevant accesses, actions not logged
Slide 49 Example 1: VAX VMM Designed to be a secure production system Audit mechanism had to have minimal impact Audit mechanism had to be very reliable Kernel is layered Logging done where events of interest occur Each layer audits accesses to objects it controls Audit subsystem processes results of logging from mechanisms in kernel Audit subsystem manages system log Invoked by mechanisms in kernel
Slide 50 VAX VMM Audit Subsystem Calls provide data to be logged Identification of event, result Auxiliary data depending on event Caller’s name Subsystem checks criteria for logging If request matcher, data is logged Criteria are subject or object named in audit table, and severity level (derived from result) Adds date and time, other information
Slide 51 Other Issues Always logged Programmer can request event be logged Any attempt to violate policy Protection violations, login failures logged when they occur repeatedly Use of covert channels also logged Log filling up Audit logging process signaled to archive log when log is 75% full If not possible, system stops
Slide 52 Example 2: CMW Compartmented Mode Workstation designed to allow processing at different levels of sensitivity Auditing subsystem keeps table of auditable events Entries indicate whether logging is turned on, what type of logging to use User level command chaud allows user to control auditing and what is audited If changes affect subjects, objects currently being logged, the logging completes and then the auditable events are changed
Slide 53 CMW Process Control System calls allow process to control auditing audit_on turns logging on, names log file audit_write validates log entry given as parameter, logs entry if logging for that entry is turned on audit_suspend suspends logging temporarily audit_resume resumes logging after suspension audit_off turns logging off for that process
Slide 54 System Calls On system call, if auditing on: System call recorded First 3 parameters recorded (but pointers not followed) How audit_write works If room in log, append new entry Otherwise halt system, discard new entry, or disable event that caused logging Continue to try to log other events
Slide 55 Other Ways to Log Problem: some processes want to log higher- level abstractions (application logging) Window manager creates, writes high-level events to log Difficult to map low-level events into high-level ones Disables low-level logging for window manager as unnecessary
Slide 56 CMW Auditing Tool (redux) to analyze logged events Converts binary logs to printable format Redux allows user to constrain printing based on several criteria Users Objects Security levels Events
Slide 57 Non-Secure Systems Have some limited logging capabilities Log accounting data, or data for non-security purposes Possibly limited security data like failed logins Auditing subsystems focusing on security usually added after system completed May not be able to log all events, especially if limited kernel modifications to support audit subsystem
Slide 58 Example: Basic Security Module BSM enhances SunOS, Solaris security Logs composed of records made up of tokens Token contains information about event: user identity, groups, file system information, network, system call and result, etc. as appropriate
Slide 59 More About Records Records refer to auditable events Kernel events: opening a file Application events: failure to authenticate when logging in Grouped into audit event classes based on events causing record generation Before log created: tell system what to generate records for After log created: defined classes control which records given to analysis tools
Slide 60 Example Record Logs are binary; this is from praudit header,35,AUE_EXIT,Wed Sep 18 11:35:28 1991, + 570000 msec, process,bishop,root,root,daemon,1234, return,Error 0,5 trailer,35
Slide 61 Auditing File Systems Network File System (NFS) Industry standard Server exports file system; client imports it Root of tree being exported called server mount point; place in client file tree where exported file system imported called client mount point Logging and Auditing File System (LAFS) Built on NFS
Slide 62 NFS Version 2 Mounting protocol Client kernel contacts server’s mount daemon Daemon checks client is authorized to mount file system Daemon returns file handle pointing to server mount point Client creates entry in client file system corresponding to file handle Access restrictions enforced On client side: server not aware of these On server side: client not aware of these
Slide 63 File Access Protocol Process tries to open file as if it were local Client kernel sends file handle for element of path referring to remote file to server’s NFS server using LOOKUP request If file handle valid, server replies with appropriate file handle Client requests attributes with GETATTR Client then determines if access allowed; if not, denies Iterate above three steps until handle obtained for requested file Or access denied by client
Slide 64 Other Important Details NFS stateless Server has no idea which files are being accessed and by whom NFS access control Most servers require requests to come from privileged programs Check that source port is 1023 or less Underlying messages identify user To some degree of certainty …
Slide 65 Site Policy 1. NFS servers respond only to authorized clients 2. UNIX access controls regulate access to server’s exported file system 3. No client host can access a non-exported file system
Slide 66 Resulting Constraints 1. File access granted  client authorized to import file system, user can search all parent directories, user can access file as requested, file is descendent of server’s file system mount point • From P1, P2, P3 2. Device file created or file type changed to device  user’s UID is 0 • From P2; only UID 0 can do these actions
Slide 67 More Constraints 3. Possession of file handle  file handle issued to user • From P1, P2; otherwise unauthorized client could access files in forbidden ways 4. Operation succeeds  similar local operation would succeed • From P2; mount should fail if requester UID not 0
Slide 68 NFS Operations Transitions from secure to non-secure state can occur only when NFS command occurs Example commands: MOUNT filesystem Mount the named file system on the requesting client, if allowed LOOKUP dir_handle file_name Search in directory with handle dir_handle for file named file_name; return file handle for file_name
Slide 69 Logging Requirements 1.When file handle issued, server records handle, UID and GID of user requesting it, client host making request • Similar to allocating file descriptor when file opened; allows validation of later requests 2.When file handle used as parameter, server records UID, GID of user • Was user using file handle issued that file handle—useful for detecting spoofs
Slide 70 Logging Requirements 3. When file handle issued, server records relevant attributes of containing object • On LOOKUP, attributes of containing directory show whether it can be searched 4. Record results of each operation • Lets auditor determine result 5. Record file names used as arguments • Reconstruct path names, purpose of commands
Slide 71 Audit Criteria: MOUNT MOUNT Check that MOUNT server denies all requests by unauthorized clients to import file system that host exports Obtained from constraints 1, 4 Log requirements 1 (who requests it), 3 (access attributes—to whom can it be exported), 4 (result)
Slide 72 Audit Criteria: LOOKUP 2. Check file handle comes from client, user to which it was issued • Obtained from constraint 3 • Log requirement 1 (who issued to), 2 (who is using) 3. Check that directory has file system mount point as ancestor and user has search permission on directory • Obtained from constraint 1 • Log requirements 2 (who is using handle), 3 (owner, group, type, permissions of object), 4 (result), 5 (reconstruct path name)
Slide 73 LAFS File system that records user level activities Uses policy-based language to automate checks for violation of policies Implemented as extension to NFS You create directory with lmkdir and attach policy with lattach: lmkdir /usr/home/xyzzy/project policy lattach /usr/home/xyzzy/project /lafs/xyzzy/project
Slide 74 LAFS Components Name server File manager Configuration assistant Sets up required protection modes; interacts with name server, underlying file protection mechanisms Audit logger Logs file accesses; invoked whenever process accesses file Policy checker Validates policies, checks logs conform to policy
Slide 75 How It Works No changes to applications Each file has 3 associated virtual files file%log: all accesses to file file%policy: access control policy for file file%audit: when accessed, triggers audit in which accesses are compared to policy for file Virtual files not shown in listing LAFS knows the extensions and handles them properly
Slide 76 Example Policies prohibit:0900-1700:*:*:wumpus:exec No-one can execute wumpus between 9AM and 5PM allow:*:Makefile:*:make:read allow:*:Makefile:Owner:makedepend:write allow:*:*.o,*.out:Owner,Group:gcc,ld:write allow:-010929:*.c,*.h:Owner:emacs,vi,ed:write Program make can read Makefile Owner can change Makefile using makedepend Owner, group member can create .o, .out files using gcc and ld Owner can modify .c, .h files using named editors up to Sep. 29, 2001
Slide 77 Comparison Security policy controls access Goal is to detect, report violations Auditing mechanisms built in LAFS “stacked” onto NFS If you access files not through LAFS, access not recorded NFS auditing at lower layer So if you use NFS, accesses recorded
Slide 78 Comparison Users can specify policies in LAFS Use %policy file NFS policy embedded, not easily changed It would be set by site, not users Which is better? Depends on goal; LAFS is more flexible but easier to evade. Use both together, perhaps?
Slide 79 Audit Browsing Goal of browser: present log information in a form easy to understand and use Several reasons to do this: Audit mechanisms may miss problems that auditors will spot Mechanisms may be unsophisticated or make invalid assumptions about log format or meaning Logs usually not integrated; often different formats, syntax, etc.
Slide 80 Browsing Techniques Text display Does not indicate relationships between events Hypertext display Indicates local relationships between events Does not indicate global relationships clearly Relational database browsing DBMS performs correlations, so auditor need not know in advance what associations are of interest Preprocessing required, and may limit the associations DBMS can make
Slide 81 More Browsing Techniques Replay Shows events occurring in order; if multiple logs, intermingles entries Graphing Nodes are entities, edges relationships Often too cluttered to show everything, so graphing selects subsets of events Slicing Show minimum set of log events affecting object Focuses on local relationships, not global ones
Slide 82 Example: Visual Audit Browser Frame Visualizer Generates graphical representation of logs Movie Maker Generates sequence of graphs, each event creating a new graph suitably modified Hypertext Generator Produces page per user, page per modified file, summary and index pages Focused Audit Browser Enter node name, displays node, incident edges, and nodes at end of edges
Slide 83 Example Use File changed Use focused audit browser Changed file is initial focus Edges show which processes have altered file Focus on suspicious process Iterate through nodes until method used to gain access to system determined Question: is masquerade occurring? Auditor knows audit UID of attacker
Slide 84 Tracking Attacker Use hypertext generator to get all audit records with that UID Now examine them for irregular activity Frame visualizer may help here Once found, work forward to reconstruct activity For non-technical people, use movie maker to show what happened Helpful for law enforcement authorities especially!
Slide 85 Example: MieLog Computes counts of single words, word pairs Auditor defines “threshold count” MieLog colors data with counts higher than threshold Display uses graphics and text together Tag appearance frequency area: colored based on frequency (e.g., red is rare) Time information area: bar graph showing number of log entries in that period of time; click to get entries Outline of message area: outline of log messages, colored to match tag appearance frequency area Message in text area: displays log entry under study
Slide 86 Example Use Auditor notices unexpected gap in time information area No log entries during that time!?!? Auditor focuses on log entries before, after gap Wants to know why logging turned off, then turned back on Color of words in entries helps auditor find similar entries elsewhere and reconstruct patterns
Slide 87 Key Points Logging is collection and recording; audit is analysis Need to have clear goals when designing an audit system Auditing should be designed into system, not patched into system after it is implemented Browsing through logs helps auditors determine completeness of audit (and effectiveness of audit mechanisms!)

Recommended

Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackAlistair Gillespie
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 

Recommended

Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityNathan Desfontaines
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackAlistair Gillespie
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdfPencilData
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE MethodRaul Calzada
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 

More Related Content

What's hot

Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdfPencilData
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Brent Muir
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsSounil Yu
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

What's hot (20)

Qradar - Reports.pdf
Qradar - Reports.pdfQradar - Reports.pdf
Qradar - Reports.pdf
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS Defending Against the Dark Arts of LOLBINS
Defending Against the Dark Arts of LOLBINS
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 

Similar to Auditing.ppt

2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
Assignment Grading Rubric Course IT286 Unit 4 Po.docx
Assignment Grading Rubric Course IT286 Unit 4 Po.docxAssignment Grading Rubric Course IT286 Unit 4 Po.docx
Assignment Grading Rubric Course IT286 Unit 4 Po.docxssuser562afc1
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12Ala Qunaibi
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12Ala Qunaibi
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyMichael Gough
 
Structure of operating system
Structure of operating systemStructure of operating system
Structure of operating systemRafi Dar
 
Chapter11 Monitoring Server Performance
Chapter11 Monitoring Server PerformanceChapter11 Monitoring Server Performance
Chapter11 Monitoring Server PerformanceRaja Waseem Akhtar
 
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxLab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxDIPESH30
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromiseCal Bryant
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)Felipe Prado
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Software engg. pressman_ch-8
Software engg. pressman_ch-8Software engg. pressman_ch-8
Software engg. pressman_ch-8Dhairya Joshi
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
Chapter 3 access control fundamental i
Chapter 3 access control fundamental iChapter 3 access control fundamental i
Chapter 3 access control fundamental iSyaiful Ahdan
 

Similar to Auditing.ppt (20)

2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Tracing Sql Server 2005
Tracing Sql Server 2005Tracing Sql Server 2005
Tracing Sql Server 2005
 
Assignment Grading Rubric Course IT286 Unit 4 Po.docx
Assignment Grading Rubric Course IT286 Unit 4 Po.docxAssignment Grading Rubric Course IT286 Unit 4 Po.docx
Assignment Grading Rubric Course IT286 Unit 4 Po.docx
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12
 
Sql server lesson12
Sql server lesson12Sql server lesson12
Sql server lesson12
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
 
Backtracking king05
Backtracking king05Backtracking king05
Backtracking king05
 
Structure of operating system
Structure of operating systemStructure of operating system
Structure of operating system
 
Chapter11 Monitoring Server Performance
Chapter11 Monitoring Server PerformanceChapter11 Monitoring Server Performance
Chapter11 Monitoring Server Performance
 
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docxLab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
Lab Deliverable for Lab nYour NameDateTitle Creating, Using, Remo.docx
 
Checking Windows for signs of compromise
Checking Windows for signs of compromiseChecking Windows for signs of compromise
Checking Windows for signs of compromise
 
2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)2600 v03 n02 (february 1986)
2600 v03 n02 (february 1986)
 
Sadcw 6e chapter3
Sadcw 6e chapter3Sadcw 6e chapter3
Sadcw 6e chapter3
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Software engg. pressman_ch-8
Software engg. pressman_ch-8Software engg. pressman_ch-8
Software engg. pressman_ch-8
 
CH02.pdf
CH02.pdfCH02.pdf
CH02.pdf
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Chapter 3 access control fundamental i
Chapter 3 access control fundamental iChapter 3 access control fundamental i
Chapter 3 access control fundamental i
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Auditing.ppt

  • 1. Chapter 21 in “Introduction to Computer Security” System Auditing
  • 2. Slide 2 Chapter 21: Auditing Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms Examples: NFSv2, LAFS
  • 3. Slide 3 What is Auditing? Logging Recording events or statistics to provide information about system use and performance Auditing Analysis of log records to present information about the system in a clear, understandable manner
  • 4. Slide 4 Uses Describe security state Determine if system enters unauthorized state Evaluate effectiveness of protection mechanisms Determine which mechanisms are appropriate and working Deter attacks because of presence of record
  • 5. Slide 5 Problems What do you log? Hint: looking for violations of a policy, so record at least what will show such violations What do you audit? Need not audit everything Key: what is the policy involved?
  • 6. Slide 6 What should be audited Requires a knowledge of the security policy of the system What attempts to violate that policy involve How such attempts can be detected
  • 7. Slide 7 What should be logged What commands must an attacker use to violate the security policy What system calls must be made Who must issue the commands or system calls and in what order, what objects must be altered
  • 8. Slide 8 Audit System Structure Logger Records information, usually controlled by parameters Analyzer Analyzes logged information looking for something Notifier Reports results of analysis
  • 9. Slide 9 Logger Type, quantity of information recorded controlled by system or program configuration parameters May be human readable or not If not, usually viewing tools supplied
  • 10. Slide 10 Logger -- Example: RACF Security enhancement package for IBM’s MVS operating system and VM environment. Logs failed access attempts, Use of privilege to change security levels, (if desired) RACF interactions with users if a user attempt to modify it in any way, a log entry will be made http://www- 03.ibm.com/servers/eserver/zseries/zos/racf/shock/topics. html View events with LISTUSERS commands
  • 11. Slide 11 Logger -- RACF: Sample Entry USER=EW125004 NAME=S.J.TURNER OWNER=SECADM CREATED=88.004 DEFAULT-GROUP=HUMRES PASSDATE=88.004 PASS-INTERVAL=30 ATTRIBUTES=ADSP REVOKE DATE=NONE RESUME-DATE=NONE LAST-ACCESS=88.020/14:15:10 CLASS AUTHORIZATIONS=NONE NO-INSTALLATION-DATA NO-MODEL-NAME LOGON ALLOWED (DAYS) (TIME) -------------------------------- ANYDAY ANYTIME GROUP=HUMRES AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE=88.004 CONNECTS= 15 UACC=READ LAST-CONNECT=88.018/16:45:06 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE GROUP=PERSNL AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE:88.004 CONNECTS= 25 UACC=READ LAST-CONNECT=88.020/14:15:10 CONNECT ATTRIBUTES=NONE REVOKE DATE=NONE RESUME DATE=NONE SECURITY-LEVEL=NONE SPECIFIED CATEGORY AUTHORIZATION NONE SPECIFIED
  • 12. Slide 12 Logger -- Example: Windows NT Different logs for different types of events System event logs record system crashes, component failures, and other system events Application event logs record events that applications request be recorded Security event log records security-critical events such as logging in and out, system file accesses, and other events Logs are binary; use event viewer to see them If log full, can have system shut down, logging disabled, or logs overwritten
  • 13. Slide 13 Logger -- Windows NT Sample Entry Date: 2/12/2000 Source: Security Time: 13:03 Category: Detailed Tracking Type: Success EventID: 592 User: WINDSORAdministrator Computer: WINDSOR Description: A new process has been created: New Process ID: 2216594592 Image File Name: Program FilesInternet ExplorerIEXPLORE.EXE Creator Process ID: 2217918496 User Name: Administrator FDomain: WINDSOR Logon ID: (0x0,0x14B4c4)
  • 14. Slide 14 Analyzer Analyzes one or more logs Logs may come from multiple systems, or a single system May lead to changes in logging May lead to a report of an event
  • 15. Slide 15 Analyzer -- Examples Suppose a system administrator wants to list all systems from which users have connected using the rlogin or telnet program, excluding systems at the site. Use swatch patterns to match the lines generated by these remote connections. /telnet/&!/localhost/&!/*.site.com/ /telnet/&!/localhost/&!/*.site.com/ This line matches all log file entries containing the word “rlogin” and not containing either localhost or any string ending in “.site.com” – the local host domain. Swatch tool: http://www.unix.org.ua/orelly/networking/puis/ch10_06.htm
  • 16. Slide 16 Analyzer -- Examples A database query control mechanism Contains both a logger and a analyzer User prior queries to determine whether to answer current query If too much overlap between current query and past queries, do not answer
  • 17. Slide 17 Analyzer -- Examples Intrusion detection analysis engine (director) Takes data from sensors and determines if an intrusion is occurring Analyze log records for unexpected activity Analyze log records for known activity to be an attempt to compromise the system
  • 18. Slide 18 Notifier Informs analyst, other entities of results of analysis May reconfigure logging and/or analysis on basis of results
  • 19. Slide 19 Notifier -- Examples Using swatch to notify of telnets /telnet/&!/localhost/&!/*.site.com/mail staff /rlogin/&!/localhost/&!/*.site.com/mail staff Query set overlap control in databases Prevents response from being given if too much overlap occurs Reduce the union of all previous query set sizes to less than r Three failed logins in a row disable user account Notifier disables account, notifies sysadmin Record each attempt, check the number of consecutive failed login attempts, invoke the notifier.
  • 20. Slide 20 Designing an Audit System Essential component of security mechanisms Goals determine what is logged Idea: auditors want to detect violations of policy, which provides a set of constraints that the set of possible actions must satisfy So, audit functions that may violate the constraints Constraint pi : action  condition Require action be true before any valid conclusion about the condition can be deduced. Satisfaction of constraint  result is irrelevant Dissatisfaction of constraint  security violation
  • 21. Slide 21 Example: Bell-LaPadula Simple security condition and *-property S reads O  L(S) ≥ L(O) S writes O  L(S) ≤ L(O) http://courses.cs.vt.edu/~cs5204/fall99/protection/harsh/ To check for violations, on each read and write, must log L(S), L(O), action (read, write), and result (success, failure) What is illegal state? What to audit?
  • 22. Slide 22 Implementation Issues Show non-security or find violations? Security violation, the changes (necessary) Requires logging initial state Defining violations, Bell-LaPadula Model asserted specific type of data to be recorded during a “write” Potential Possibility? Multiple names for one object Logging goes by object and not name Representations can affect this (if you read raw disks, you’re reading files; can your auditing system determine which file?) Unix two representation: File system and low level disk blocks Unix systems generally cannot log all accesses to a given file, no log at disk block level.
  • 23. Slide 23 Syntactic Issues Data that is logged may be ambiguous BSM: two optional text fields followed by two mandatory text fields If three fields, which of the optional fields is omitted? Solution: use grammar to ensure well-defined syntax of log files
  • 24. Slide 24 Example entry : date host prog [ bad ] user [ “from” host ] “to” user “on” tty date : daytime host : string prog : string “:” bad : “FAILED” user : string tty : “/dev/” string Log file entry format defined unambiguously Audit mechanism could scan, interpret entries without confusion
  • 25. Slide 25 More Syntactic Issues Context Unknown user uses anonymous ftp to retrieve file “/etc/passwd” Logged as such Problem: which /etc/passwd file? One in system /etc directory One in anonymous ftp directory /var/ftp/etc, and as ftp thinks /var/ftp is the root directory, /etc/passwd refers to /var/ftp/etc/passwd
  • 26. Slide 26 Log Sanitization (confidentiality and privacy) U set of users, P policy defining set of information C(U) that U cannot see; log sanitized when all information in C(U) deleted from log Two types of P C(U) can’t leave site People inside site are trusted and information not sensitive to them Prevent indication of proprietary projects, release of IP of machines containing sensitive info C(U) can’t leave system People inside site not trusted or (more commonly) information sensitive to them Prevent the admin from spying on users Privacy consideration, only when … Don’t log this sensitive information
  • 27. Slide 27 Logging Organization Top prevents information from leaving site Users’ privacy not protected from system administrators, other administrative personnel Bottom prevents information from leaving system Data simply not recorded, or data scrambled before recording Could use cryptography to protect the data and allow for reconstruction Logging system Log Users Sanitizer Logging system Log Users Sanitizer
  • 28. Slide 28 Reconstruction Anonymizing sanitizer cannot be undone No way to recover data from this Pseudonymizing sanitizer can be undone Original log can be reconstructed Importance Suppose security analysis requires access to information that was sanitized?
  • 29. Slide 29 Issue Key: sanitization must preserve properties needed for security analysis If new properties added (because analysis changes), may have to resanitize information This requires pseudonymous sanitization or the original log
  • 30. Slide 30 Example Company wants to keep its IP addresses secret, but wants a consultant to analyze logs for an address scanning attack Connections to port 25 on IP addresses 10.163.5.10, 10.163.5.11, 10.163.5.12, 10.163.5.13, 10.163.5.14, 10.163.5.15 Sanitize with random IP addresses Cannot see sweep through consecutive IP addresses Sanitize with sequential IP addresses Can see sweep through consecutive IP addresses
  • 31. Slide 31 Generation of Pseudonyms 1. Devise set of pseudonyms to replace sensitive information • Replace data with pseudonyms • Maintain table mapping pseudonyms to data 2. Use random key to encipher sensitive datum and use secret sharing scheme to share key • Used when insiders cannot see unsanitized data, but outsiders (law enforcement) need to • Requires t out of n people to read data
  • 32. Slide 32 Application Logging Applications logs made by applications Applications control what is logged Typically use high-level abstractions such as: su: bishop to root on /dev/ttyp0 Does not include detailed, system call level information such as results, parameters, etc.
  • 33. Slide 33 System Logging Log system events such as kernel actions Typically use low-level events 3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8) 3876 ktrace NAMI "/usr/bin/su" 3876 ktrace NAMI "/usr/libexec/ld-elf.so.1" 3876 su RET xecve 0 3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0) 3876 su RET __sysctl 0 3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0) 3876 su RET mmap 671473664/0x2805e000 3876 su CALL geteuid 3876 su RET geteuid 0 Does not include high-level abstractions such as loading libraries (as above)
  • 34. Slide 34 Contrast Differ in focus Application logging focuses on application events, like failure to supply proper password, and the broad operation (what was the reason for the access attempt?) System logging focuses on system events, like memory mapping or file accesses, and the underlying causes (why did access fail?) System logs usually much bigger than application logs Can do both, try to correlate them
  • 35. Slide 35 Design A posteriori design Need to design auditing mechanism for system not built with security in mind Goal of auditing Detect any violation of a stated policy Focus is on policy and actions designed to violate policy; specific actions may not be known Detect actions known to be part of an attempt to breach security Focus on specific actions that have been determined to indicate attacks
  • 36. Slide 36 Detect Violations of Known Policy Goal: does system enter a disallowed state? Two forms State-based auditing Look at current state of system Transition-based auditing Look at actions that transition system from one state to another
  • 37. Slide 37 State-Based Auditing Log information about state and determine if state allowed Assumption: you can get a snapshot of system state Snapshot needs to be consistent
  • 38. Slide 38 Example File system auditing tools Thought of as analyzing single state (snapshot) In reality, analyze many slices of different state unless file system quiescent Potential problem: if test at end depends on result of test at beginning, relevant parts of system state may have changed between the first test and the last Classic TOCTTOU flaw (time of check to time of use)
  • 39. Slide 39 Transition-Based Auditing Log information about action, and examine current state and proposed transition to determine if new state would be disallowed Note: just analyzing the transition may not be enough; you may need the initial state Tend to use this when specific transitions always require analysis (for example, change of privilege)
  • 40. Slide 40 Example TCP access control mechanism intercepts TCP connections and checks against a list of connections to be blocked (hosts.deny file) Obtains IP address of source of connection Logs IP address, port, and result (allowed/blocked) in log file Purely transition-based (current state not analyzed at all)
  • 41. Slide 41 Example American Online’s instant messaging system allows a user to sign on from at most one computer at a time. Mixture of state-based and transition-based auditing Examine the transtion (sign-on) Current state (whether signed on already) Report, block
  • 42. Slide 42 Detect Known Violations of Policy Goal: does a specific action and/or state that is known to violate security policy occur? Assume that action automatically violates policy Policy may be implicit, not explicit Used to look for known attacks
  • 43. Slide 43 Example Land attack Consider 3-way handshake to initiate TCP connection (next slide) What happens if source, destination ports and addresses the same? Host expects ACK(t+1), but gets ACK(s+1). RFC ambiguous: p. 36 of RFC: send reset (RST) to terminate connection p. 69 of RFC: reply with empty packet having current sequence number t+1 and ACK number s+1—but it receives packet and ACK number is incorrect. So it repeats this … system hangs or runs very slowly, depending on whether interrupts are disabled
  • 44. Slide 44 3-Way Handshake and Land Normal: 1. srcseq = s, expects ACK s+1 2. destseq = t, expects ACK t+1; src gets ACK s+1 3. srcseq = s+1, destseq = t+1; dest gets ACK t+1 Land: 1. srcseq = destseq = s, expects ACK s+1 2. srcseq = destseq = t, expects ACK t+1 but gets ACK s+1 3. Never reached; recovery from error in 2 attempted Source Destination SYN(s) ACK(s+1) SYN(t) ACK(t+1)
  • 45. Slide 45 Detection Must spot initial Land packet with source, destination addresses the same Logging requirement: source port number, IP address destination port number, IP address Auditing requirement: If source port number = destination port number and source IP address = destination IP address, packet is part of a Land attack
  • 47. Slide 47 Auditing Mechanisms Systems use different mechanisms Most common is to log all events by default, allow system administrator to disable logging that is unnecessary Two examples One audit system designed for a secure system One audit system designed for non-secure system
  • 48. Slide 48 Secure Systems Auditing mechanisms integrated into system design and implementation Security officer can configure reporting and logging: To report specific events To monitor accesses by a subject To monitor accesses to an object Controlled at audit subsystem Irrelevant accesses, actions not logged
  • 49. Slide 49 Example 1: VAX VMM Designed to be a secure production system Audit mechanism had to have minimal impact Audit mechanism had to be very reliable Kernel is layered Logging done where events of interest occur Each layer audits accesses to objects it controls Audit subsystem processes results of logging from mechanisms in kernel Audit subsystem manages system log Invoked by mechanisms in kernel
  • 50. Slide 50 VAX VMM Audit Subsystem Calls provide data to be logged Identification of event, result Auxiliary data depending on event Caller’s name Subsystem checks criteria for logging If request matcher, data is logged Criteria are subject or object named in audit table, and severity level (derived from result) Adds date and time, other information
  • 51. Slide 51 Other Issues Always logged Programmer can request event be logged Any attempt to violate policy Protection violations, login failures logged when they occur repeatedly Use of covert channels also logged Log filling up Audit logging process signaled to archive log when log is 75% full If not possible, system stops
  • 52. Slide 52 Example 2: CMW Compartmented Mode Workstation designed to allow processing at different levels of sensitivity Auditing subsystem keeps table of auditable events Entries indicate whether logging is turned on, what type of logging to use User level command chaud allows user to control auditing and what is audited If changes affect subjects, objects currently being logged, the logging completes and then the auditable events are changed
  • 53. Slide 53 CMW Process Control System calls allow process to control auditing audit_on turns logging on, names log file audit_write validates log entry given as parameter, logs entry if logging for that entry is turned on audit_suspend suspends logging temporarily audit_resume resumes logging after suspension audit_off turns logging off for that process
  • 54. Slide 54 System Calls On system call, if auditing on: System call recorded First 3 parameters recorded (but pointers not followed) How audit_write works If room in log, append new entry Otherwise halt system, discard new entry, or disable event that caused logging Continue to try to log other events
  • 55. Slide 55 Other Ways to Log Problem: some processes want to log higher- level abstractions (application logging) Window manager creates, writes high-level events to log Difficult to map low-level events into high-level ones Disables low-level logging for window manager as unnecessary
  • 56. Slide 56 CMW Auditing Tool (redux) to analyze logged events Converts binary logs to printable format Redux allows user to constrain printing based on several criteria Users Objects Security levels Events
  • 57. Slide 57 Non-Secure Systems Have some limited logging capabilities Log accounting data, or data for non-security purposes Possibly limited security data like failed logins Auditing subsystems focusing on security usually added after system completed May not be able to log all events, especially if limited kernel modifications to support audit subsystem
  • 58. Slide 58 Example: Basic Security Module BSM enhances SunOS, Solaris security Logs composed of records made up of tokens Token contains information about event: user identity, groups, file system information, network, system call and result, etc. as appropriate
  • 59. Slide 59 More About Records Records refer to auditable events Kernel events: opening a file Application events: failure to authenticate when logging in Grouped into audit event classes based on events causing record generation Before log created: tell system what to generate records for After log created: defined classes control which records given to analysis tools
  • 60. Slide 60 Example Record Logs are binary; this is from praudit header,35,AUE_EXIT,Wed Sep 18 11:35:28 1991, + 570000 msec, process,bishop,root,root,daemon,1234, return,Error 0,5 trailer,35
  • 61. Slide 61 Auditing File Systems Network File System (NFS) Industry standard Server exports file system; client imports it Root of tree being exported called server mount point; place in client file tree where exported file system imported called client mount point Logging and Auditing File System (LAFS) Built on NFS
  • 62. Slide 62 NFS Version 2 Mounting protocol Client kernel contacts server’s mount daemon Daemon checks client is authorized to mount file system Daemon returns file handle pointing to server mount point Client creates entry in client file system corresponding to file handle Access restrictions enforced On client side: server not aware of these On server side: client not aware of these
  • 63. Slide 63 File Access Protocol Process tries to open file as if it were local Client kernel sends file handle for element of path referring to remote file to server’s NFS server using LOOKUP request If file handle valid, server replies with appropriate file handle Client requests attributes with GETATTR Client then determines if access allowed; if not, denies Iterate above three steps until handle obtained for requested file Or access denied by client
  • 64. Slide 64 Other Important Details NFS stateless Server has no idea which files are being accessed and by whom NFS access control Most servers require requests to come from privileged programs Check that source port is 1023 or less Underlying messages identify user To some degree of certainty …
  • 65. Slide 65 Site Policy 1. NFS servers respond only to authorized clients 2. UNIX access controls regulate access to server’s exported file system 3. No client host can access a non-exported file system
  • 66. Slide 66 Resulting Constraints 1. File access granted  client authorized to import file system, user can search all parent directories, user can access file as requested, file is descendent of server’s file system mount point • From P1, P2, P3 2. Device file created or file type changed to device  user’s UID is 0 • From P2; only UID 0 can do these actions
  • 67. Slide 67 More Constraints 3. Possession of file handle  file handle issued to user • From P1, P2; otherwise unauthorized client could access files in forbidden ways 4. Operation succeeds  similar local operation would succeed • From P2; mount should fail if requester UID not 0
  • 68. Slide 68 NFS Operations Transitions from secure to non-secure state can occur only when NFS command occurs Example commands: MOUNT filesystem Mount the named file system on the requesting client, if allowed LOOKUP dir_handle file_name Search in directory with handle dir_handle for file named file_name; return file handle for file_name
  • 69. Slide 69 Logging Requirements 1.When file handle issued, server records handle, UID and GID of user requesting it, client host making request • Similar to allocating file descriptor when file opened; allows validation of later requests 2.When file handle used as parameter, server records UID, GID of user • Was user using file handle issued that file handle—useful for detecting spoofs
  • 70. Slide 70 Logging Requirements 3. When file handle issued, server records relevant attributes of containing object • On LOOKUP, attributes of containing directory show whether it can be searched 4. Record results of each operation • Lets auditor determine result 5. Record file names used as arguments • Reconstruct path names, purpose of commands
  • 71. Slide 71 Audit Criteria: MOUNT MOUNT Check that MOUNT server denies all requests by unauthorized clients to import file system that host exports Obtained from constraints 1, 4 Log requirements 1 (who requests it), 3 (access attributes—to whom can it be exported), 4 (result)
  • 72. Slide 72 Audit Criteria: LOOKUP 2. Check file handle comes from client, user to which it was issued • Obtained from constraint 3 • Log requirement 1 (who issued to), 2 (who is using) 3. Check that directory has file system mount point as ancestor and user has search permission on directory • Obtained from constraint 1 • Log requirements 2 (who is using handle), 3 (owner, group, type, permissions of object), 4 (result), 5 (reconstruct path name)
  • 73. Slide 73 LAFS File system that records user level activities Uses policy-based language to automate checks for violation of policies Implemented as extension to NFS You create directory with lmkdir and attach policy with lattach: lmkdir /usr/home/xyzzy/project policy lattach /usr/home/xyzzy/project /lafs/xyzzy/project
  • 74. Slide 74 LAFS Components Name server File manager Configuration assistant Sets up required protection modes; interacts with name server, underlying file protection mechanisms Audit logger Logs file accesses; invoked whenever process accesses file Policy checker Validates policies, checks logs conform to policy
  • 75. Slide 75 How It Works No changes to applications Each file has 3 associated virtual files file%log: all accesses to file file%policy: access control policy for file file%audit: when accessed, triggers audit in which accesses are compared to policy for file Virtual files not shown in listing LAFS knows the extensions and handles them properly
  • 76. Slide 76 Example Policies prohibit:0900-1700:*:*:wumpus:exec No-one can execute wumpus between 9AM and 5PM allow:*:Makefile:*:make:read allow:*:Makefile:Owner:makedepend:write allow:*:*.o,*.out:Owner,Group:gcc,ld:write allow:-010929:*.c,*.h:Owner:emacs,vi,ed:write Program make can read Makefile Owner can change Makefile using makedepend Owner, group member can create .o, .out files using gcc and ld Owner can modify .c, .h files using named editors up to Sep. 29, 2001
  • 77. Slide 77 Comparison Security policy controls access Goal is to detect, report violations Auditing mechanisms built in LAFS “stacked” onto NFS If you access files not through LAFS, access not recorded NFS auditing at lower layer So if you use NFS, accesses recorded
  • 78. Slide 78 Comparison Users can specify policies in LAFS Use %policy file NFS policy embedded, not easily changed It would be set by site, not users Which is better? Depends on goal; LAFS is more flexible but easier to evade. Use both together, perhaps?
  • 79. Slide 79 Audit Browsing Goal of browser: present log information in a form easy to understand and use Several reasons to do this: Audit mechanisms may miss problems that auditors will spot Mechanisms may be unsophisticated or make invalid assumptions about log format or meaning Logs usually not integrated; often different formats, syntax, etc.
  • 80. Slide 80 Browsing Techniques Text display Does not indicate relationships between events Hypertext display Indicates local relationships between events Does not indicate global relationships clearly Relational database browsing DBMS performs correlations, so auditor need not know in advance what associations are of interest Preprocessing required, and may limit the associations DBMS can make
  • 81. Slide 81 More Browsing Techniques Replay Shows events occurring in order; if multiple logs, intermingles entries Graphing Nodes are entities, edges relationships Often too cluttered to show everything, so graphing selects subsets of events Slicing Show minimum set of log events affecting object Focuses on local relationships, not global ones
  • 82. Slide 82 Example: Visual Audit Browser Frame Visualizer Generates graphical representation of logs Movie Maker Generates sequence of graphs, each event creating a new graph suitably modified Hypertext Generator Produces page per user, page per modified file, summary and index pages Focused Audit Browser Enter node name, displays node, incident edges, and nodes at end of edges
  • 83. Slide 83 Example Use File changed Use focused audit browser Changed file is initial focus Edges show which processes have altered file Focus on suspicious process Iterate through nodes until method used to gain access to system determined Question: is masquerade occurring? Auditor knows audit UID of attacker
  • 84. Slide 84 Tracking Attacker Use hypertext generator to get all audit records with that UID Now examine them for irregular activity Frame visualizer may help here Once found, work forward to reconstruct activity For non-technical people, use movie maker to show what happened Helpful for law enforcement authorities especially!
  • 85. Slide 85 Example: MieLog Computes counts of single words, word pairs Auditor defines “threshold count” MieLog colors data with counts higher than threshold Display uses graphics and text together Tag appearance frequency area: colored based on frequency (e.g., red is rare) Time information area: bar graph showing number of log entries in that period of time; click to get entries Outline of message area: outline of log messages, colored to match tag appearance frequency area Message in text area: displays log entry under study
  • 86. Slide 86 Example Use Auditor notices unexpected gap in time information area No log entries during that time!?!? Auditor focuses on log entries before, after gap Wants to know why logging turned off, then turned back on Color of words in entries helps auditor find similar entries elsewhere and reconstruct patterns
  • 87. Slide 87 Key Points Logging is collection and recording; audit is analysis Need to have clear goals when designing an audit system Auditing should be designed into system, not patched into system after it is implemented Browsing through logs helps auditors determine completeness of audit (and effectiveness of audit mechanisms!)