audit question (fwd)
Ilmar S. Habibulin
ilmar at watson.org
Wed Nov 14 09:38:03 GMT 2001
Another one my thought. How about to create some subject and object
tokens, as an attributes of of subject and objects, setted upon their
creation. So we can have only one problem - how to make these tokens
unique. So upon fork(), socket(), open(), creat(), pipe(), etc we create
some unique token of object. So we can store path or any other
known attributes of object. And then only refer to objects token in audit
records. Then user-level daemon will parse audit records and store
appropriate paths or something else in logfiles. So some sort of hash-map
shopuld be implemented in user-level process (again - it is much more
easier to hack a user-level daemon, than kernel).
And one more possible problem - there must be some object deactivation
record, after reading which, userlevel daemon should delete object-token
map.
> to records correlation i can make... so Im actually kind of asking if
> anyone has any non-critical logs they could share with me so that I could
> work on this idea?
Ok, here is my fixed log messages (as an example, so don't laugh):
1) User username(_uid_) tried to open file _filename_ for _action_ with _process name_[_PID_]. User label _level_ (_compartment_). _result_
"User user(1000) tried to open file /etc/master.passwd for writing with vi[123]. User label 0(0).failed"
- open record
2) User username(_uid_) tried to _action_ file _programm path_ with _process name_[_PID_]. _result_
"User user(1000) tried to exec file /usr/bin/vi with sh[123]. success"
- exec/exit record
3) User username(_uid_) tried to create socket with _process name_[_PID_]. User label _level_ (_compartment_). _result_
"User user(1000) tried to create socket with ftp[123]. User label 0(0).success"
- create socket record
4) User username(_uid_) tried to create file _filename_ with _process name_ [_PID_]. User label _level_(_compartment_). _result_
"User user(1000) tried to create file /tmp/test.audit with vi[123]. User label 0(0).success"
- create file record
5) MAC:User username(_uid_) tried to _action_ with _process name_ on dev(_mount point_,_inode_). User label _level_(_compartment_). File label _level_(_compartment_). _result_
"MAC:User guest(1111) tried to write with cat on dev(/,345). User label 0(0). File label 1(0). failed"
- MAC related read/write files records (they are mandatory and result is always failed
6) MAC:User username(_uid_) tryed to do _action_ on socket with _process name_[_PID_]. User label _level_(_compartment_). Socket label _level_(_compartment_). _result_
- MAC related read/write sockets records (they are mandatory and result is always failed
7) User username(_uid_) tried to do _action_ on file _filename_ with _process name_[_PID_]. User label _level_(_compartment_). File label _level_(_compartment_). _result_
- general file ops record
8) User username(_uid_) tried to delete file _filename_ with _process name_[_PID_]. User label _level_(_compartment_). File label _level_(_compartment_). _result_
- file delete record
9) User username(_uid_) tried to do _action_ on file(_inode_) on dev(_mount point_) with _process name_[_PID_]. User label _level_(_compartment_). File label _level_(_compartment_)._result_
- general file descriptor ops record
10) MAC:_net event_:socket(_uid_) label _level_(_compartment_), packet label _level_(_compartment_)
- MAC related read/write sockets/packets records (they are mandatory and result is always failed
11) Socket created by uid _uid_ with label _level_(_compartment_) recieved incoming connection
- incoming connection record
12) User username(_uid_) tried to delete socket with _process name_[_PID_]. User label _level_(_compartment_). Socket label unknown._result_
- close socket record
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list