Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit BoFS Steve Grubb Red Hat. RHEL4 Audit ● CAPP/EAL4+ with IBM ● Certified by NIAP ● HP and Unisys under eval.

Published byReginald Harper Modified over 7 years ago

Similar presentations

Presentation on theme: "Audit BoFS Steve Grubb Red Hat. RHEL4 Audit ● CAPP/EAL4+ with IBM ● Certified by NIAP ● HP and Unisys under eval."— Presentation transcript:

1 Audit BoFS Steve Grubb Red Hat

2 RHEL4 Audit

3 ● CAPP/EAL4+ with IBM ● Certified by NIAP ● HP and Unisys under eval

4 Changes Needed ● Amtu, at, coreutils, dbus, gdm, glibc, kdm, openssh, pam, passwd, shadow, util-linux, vixie- cron, vsftpd, xdm. ● All entry point programs must set loginuid ● Apps that modify trusted databases updated to send audit event records

5 Audit Filters

6 Known Uses ● Resource utilization review – Cron & aureport ● Boot performance analysis – filemond bootchart.org ● SE Linux policy guidance – Ausearch & audit2allow

7 Current Work

8 RHEL4 ● RHEL4 U2 – CAPP ● RHEL4 U3 – NISPOM ● RHEL4 U4 – SOX ● Fedora Core 5 – LSPP

9 NISPOM ● Audit-1.0.12 ● Login/Logout – gdm, sshd, login ● Black listing tty & accts - pam_tally ● Report tools - aureport

10 Sarbanes-Oxley ● Audit-1.0.15 ● Execve enhancements ● Collect all parameters in aux record ● Add tty to record

11 LSPP ● Add context to all record ● Add ability to audit by SE Linux user, role, type ● Add terminal to syscall records for RBAC ● Search by SE Linux user, role, type ● Audit records hardcoded in kernel for policy load, boolean change, SE Linux enable/disable

12 LSPP ● Cups audit events ● Device allocator audit evens

13 Other ● Performance update

14 Future Work

15 Library to Parse Events ● Create framework to allow apps to pull audit events from the logs ● Ausearch & aureport will use ● Encapsulate log format knowledge so apps don't need to know

16 Kernel ● Ability to track child processes ● Needed for autrace

17 Audit Event Dispatcher ● To meet DCID 6/3 Audit 9 need to respond in realtime to suspicious events ● Auditd forks and exec's dispatcher ● Comm is done via socketpair ● Dispatcher reads stdin for events ● Example in contrib/skeleton.c

18 Audit Event Dispatcher ● /sbin/audispd ● Will be plugin based ● Relay events – Ssl, syslog, dbus, snmp ● Input events, other systems, iptables

19 Audit Event Dispatcher ● Analyze events - anomalies – Failed logins within certain time – Logins at strange times – Max concurrent sessions reached – Logins from certain accounts – Logins from certain locations – Certain number of DAC failures

20 Audit Event Dispatcher ● Analyze events – Certain number of MAC failures – Failure of amtu – Failure of LSPP/RBAC self test – Failure of crypto test – Attempt to access certain directory – Attempt to execute certain programs

21 Audit Event Dispatcher ● Analyze events – Adding account – Deleting account – Changes to account

22 Audit Event Dispatcher ● React to anomaly events – Ignore – Log it – Alert admin – console message, dbus, email, snmp – Kill process – Kill session – Terminate access – logout, forge FIN packet, iptables

23 Audit Event Dispatcher ● React to anomaly events – Lock account for time – Lock account for remote access – Lock account – Lock terminal – Set SE Linux boolean – Execute script

24 Audit Event Dispatcher ● React to anomaly events – Change to Single user mode – Halt system

25 Audit Explorer ● Gui to review logs ● Likely to look like spreadsheet with cells ● Right click on cell to list searches ● Based on aureport as bottom layer

26 Questions ? ● User space tools: http://people.redhat.com/sgrubb/audit http://people.redhat.com/sgrubb/audit ● Mail list: http://www.redhat.com/mailman/listinfo/linux- audit

Download ppt "Audit BoFS Steve Grubb Red Hat. RHEL4 Audit ● CAPP/EAL4+ with IBM ● Certified by NIAP ● HP and Unisys under eval."

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.

Netflow Data-Mining Techniques Chris Poetzel Argonne National Laboratory Scott Pinkerton.
The Linux Audit Framework

The Linux Audit Framework
Guide to MCSE 70-290, Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.

Guide to MCSE , Enhanced 1 Activity 14-1: Browsing Security Templates Objective: To become familiar with built-in security templates Start  Run.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Operating-System Structures

Operating-System Structures
Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.

Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
New UI Changes for Endpoint Security in LDMS 9.6 SP2.

New UI Changes for Endpoint Security in LDMS 9.6 SP2.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
Monitoring System Monitors Basics Monitor Types Alarms Actions RRD Charts Reports.

Monitoring System Monitors Basics Monitor Types Alarms Actions RRD Charts Reports.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management

Security Guidelines and Management
ManageEngine ADAudit Plus A detailed walkthrough.

ManageEngine ADAudit Plus A detailed walkthrough.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Linux System Administration LINUX SYSTEM ADMINISTRATION.

Linux System Administration LINUX SYSTEM ADMINISTRATION.
Guide to Operating System Security Chapter 12 Security through Monitoring and Auditing.

Guide to Operating System Security Chapter 12 Security through Monitoring and Auditing.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.

1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.

Similar presentations

Ads by Google