06 Administration&Audit

7/30/2019 06 Administration&Audit

1/82

1

Chng 6: Qun tr v Kim sot

Vn Qun tr:Cc quy tc an ninh

nh gi ri roCc l hng bo mt


2/82

2

Chu trch nhim

Ngi dng phi c gim st v chu trchnhim v hnh ng (c hoc v tnh)

S dng k thut kim sot hoc ghi nhnhnh ng.

Xc thc ngi thc hin hnh ng


3/82

3

Xc thc a nhn t

Xc thc nhm xc minh ngi dng v xcnh quyn hn

S dng nhiu nhn t xc thc lm tng an ton.

H thng ATM:

Xc thcqua th v m PIN.


4/82

4

Quyn hn ti thiu

Khng nng quyn hn cho ngi dng thngthng

Chng trnh ng dng c chy vi quynti thiu thc hin chc nng

Ngi pht trin ng dng khng cn cp

quyn ti cao trong h thng. Hn ch ti thiu s lng account qun tr

Xem xt k lng cc ti khon qun tr khixy ra tn cng


5/82

5

Mail server

Mail Server nhn mail t Internet v copy vo thmc spool

A local server will complete delivery Mail Server cn c quyn truy cp ti cng cn

thit, to file trong th mc spool v thay i chng So it can copy the message into the file, rewrite the

delivery address if needed

Cn g b quyn sau khi kt thc vic ghi file Because it does not need to access that file again


6/82

Quy tc Sai An ton

Hnh ng mc nh l t chi truy cp

Nu hnh ng tht bi, m bo h thng trli trng thi an ton nh trc khi bt u


7/82

7

Mail server

Nu Mail Server khng th to file trong th mcspool: Nn ng kt ni, bo li, v dng.

Khng nn c gng lu tr email ti 1 ni khchoc tng quyn lu tr

An attacker could use that ability to overwrite other files orfill up other disks

Th mc spool ch nn cho php mail server to/ghiv local server c/xa.


8/82

C ch tit kim

K thut an ninh cng n gin cng ttKISS Principle

n gin hn ~ cng t sai stAnd when errors occur, they are easier to

understand and fix

Vn giao din vi cc module hoctng tc vi cc h thng khcModules often make implicit assumptions about

input or output parameters


9/82

9

Giao thc finger

Giao thcfingertr li thng tin v h thng.

Chng trnh client thng gi thit rng server tr

v kt qu theo ng nh dng. K tn cng c th to server tr v 1 chui v

hn k t, khi client kt ni ti v in ra ton b kt

qu tr v -> trn ngp a v cc file logs This is an example of incorrect assumptions about the inputto the client


10/82

Kim tra ton din

Kim tra tt c cc truy cp

Sai st: Thng ch kim tra 1 ln, khi hnhng u tin din raUNIX: access checked on open, not checked

thereafter

Nu quyn truy cp thay i ngay sau ,c th cc truy cp tri php s c choqua


11/82

DNS Cache

DNS lu thng tin nh x gi tn host va ch bng thng tin m.

K tn cng c th u c cythng tin nh x sai lch vo bngcache,vic phn gii a ch s b sai.One host will route connections to another host

incorrectly


12/82

Thit k m

Cc k thut an ninh khng nn da trn sb mt v thit k hoc thc thi

Popularly misunderstood to mean that sourcecode should be public

Security through obscurity

Does not apply to information such aspasswords or cryptographic keys


13/82

Phn tch quyn hn

Cn kim tra nhiu iu kin trc khi cpquyn

Separation of dutyDefense in depth

HH Unix (phin bn Berkeley) ch cho

php user chuyn sang rootkhi Bit mt khu root

Thuc nhm wheel


14/82

Hn ch chia s

Truy cp khng nn chia sInformation can flow along shared channels

Covert channels

Tch bitVirtual machines

Sandboxes


15/82

Web site TMT

Web site cung cp dch v TMT cho 1 cng ty

K tn cng mun lm tn hi doanh thu ca ctyThey flood the site with messages and tie up the

electronic commerce services

Legitimate customers are unable to access the Web

site and, as a result, take their business elsewhere. Nguyn nhn: Chia s knh truy cp Internet vi

site ca hacker


16/82

Web site TMT

i ph: Hn ch s truy cp ca k tn cngProxy Servers: Purdue SYN intermediary - detect

the suspect connectionsTraffic throttling: Reduces the load on the relevant

segment of the network indiscriminately


17/82

S chp nhn v mt tm l

Cc k thut an ninh khng nn lm gia tngs phc tp trong truy cp ti nguyn

Hide complexity introduced by securitymechanisms

Ease of installation, configuration, use

Human factors critical here Thc t, cc k thut an ninh c lm gia tng

1 phn s phc tp, nhng mc hp l


18/82

Thay i thit lp email

Ngi dng phi cung cp li mt khu khimun thay i mt khu.

Cc thay i khc khng yu cu cung cp limt khu.


19/82

19

nh gi ri ro

Xc nh mc nhy cm ca h thng Xc nh cc thng tin c xem l quan trng ca t chc.

Cc h thng x l, truyn ti, lu tr .v.v thng tin quan trng thcng tr nn quan trng.

Xc nh cc ri ro h thng c th gp phi L hng bo mt (Vulnerabilities)

Cc mi e da (Threats): Con ngi, mi trng, bn trong, bnngoi, c , v


20/82

20

nh gi ri ro

Xc nh cc bin php phng chng Cc phng php lm gim nh hoc loi tr mi e da

(gii php k thut, gii php chnh sch .v.v) Xc nh thit hi khi xy ra s c

Ti chnh, hnh nh, php l


21/82

21

nh gi ri ro

Xc nh mc thit hi chp nhn c Lin quan n chi ph ca cc phng n i ph

Trin khai k hoch i ph ri ro Nm trong khong ri ro chp nhn c cho n mc c

th loi b hon ton s c.


22/82

Slide #21-22

Vn kim sot

Tng quan v kim sot?

Hot ng ca h thng kim sot

Thit k h thng kim sot

Cc k thut kim sot

Examples: NFSv2, LAFS


23/82

Slide #21-23

What is Auditing?

Logging: Ghi nhnRecording events or statistics to provide

information about system use and performance

Auditing: Kim sotAnalysis of log records to present information

about the system in a clear, understandablemanner


24/82

Slide #21-24

Mc ch

M t trng thi an ninhDetermine if system enters unauthorized state

nh gi hiu qu ca c ch bo vDetermine which mechanisms are appropriate

and working

Deter attacks because of presence of record


25/82

Slide #21-25

Vn

Ghi nhn nhng g?Hint: looking for violations of a policy, so

record at leastwhat will show such violations

Kim sot nhng g?Need not audit everything

Key: what is the policy involved?


26/82

Slide #21-26

Cu trc h thng kim sot

LoggerRecords information, usually controlled by

parameters Analyzer

Analyzes logged information looking forsomething

NotifierReports results of analysis


27/82

Slide #21-27

Logger

Chng loi, s lng thng tin cn ghi nhnc xc nh tham s cu hnh h thng

C th dng c c hoc khngIf not, usually viewing tools supplied

Space available, portability influence storage

format


28/82

Slide #21-28

Example: RACF

Phn mm tng cng an ninh truy cp hthng cho cc HH z/OS v z/MV

Ghi nhn cc ng nhp tht bi, vic sdng quyn thay i cp an ninh

Xem s kin bng lnh LISTUSERS


29/82

Slide #21-29

RACF: Sample Entry

USER=EW125004 NAME=S.J.TURNER OWNER=SECADM CREATED=88.004DEFAULT-GROUP=HUMRES PASSDATE=88.004 PASS-INTERVAL=30ATTRIBUTES=ADSPREVOKE DATE=NONE RESUME-DATE=NONELAST-ACCESS=88.020/14:15:10CLASS AUTHORIZATIONS=NONENO-INSTALLATION-DATA

NO-MODEL-NAMELOGON ALLOWED (DAYS) (TIME)--------------------------------ANYDAY ANYTIME

GROUP=HUMRES AUTH=JOIN CONNECT-OWNER=SECADMCONNECT-DATE=88.004

CONNECTS= 15 UACC=READ LAST-CONNECT=88.018/16:45:06CONNECT ATTRIBUTES=NONEREVOKE DATE=NONE RESUME DATE=NONE

GROUP=PERSNL AUTH=JOIN CONNECT-OWNER=SECADM CONNECT-DATE:88.004CONNECTS= 25 UACC=READ LAST-CONNECT=88.020/14:15:10CONNECT ATTRIBUTES=NONEREVOKE DATE=NONE RESUME DATE=NONE

SECURITY-LEVEL=NONE SPECIFIEDCATEGORY AUTHORIZATION

NONE SPECIFIED


30/82

Slide #21-30

Example: Windows NT

S dng cc logs khc nhau cho cc s kin System eventlogs record system crashes, component failures, and

other system events

Application eventlogs record events that applications request berecorded Security eventlog records security-critical events such as logging

in and out, system file accesses, and other events

Logs c ghi dng nh phn; dng event viewer xem

Nu logs y, c th lm h thng shut down, dng ghilogs, hoc ghi .


31/82

Slide #21-31

Windows NT Sample Entry

Date: 2/12/2000 Source: Security

Time: 13:03 Category: Detailed Tracking

Type: Success EventID: 592

User: WINDSOR\Administrator

Computer: WINDSOR

Description:

A new process has been created:

New Process ID: 2216594592

Image File Name:

\Program Files\Internet Explorer\IEXPLORE.EXE

Creator Process ID: 2217918496

User Name: Administrator

FDomain: WINDSOR

Logon ID: (0x0,0x14B4c4)

[would be in graphical format]


32/82

Slide #21-32

Analyzer: B phn tch

Phn tch cc thng tin ghi trong logsLogs may come from multiple systems, or a

single systemMay lead to changes in logging

May lead to a report of an event


33/82

Slide #21-33

Examples

Dng lnhswatchtm cc phin kt ni telnetttcpdlogs:

/telnet/&!/localhost/&!/*.site.com/

B phn tch pht hin xm nhp Takes data from sensors and determines if an intrusion

is occurring


34/82

Slide #21-34

Notifier: Cnh bo

Thn bo cho ngi phn tch v cc itng khc kt qu phn tch

C th cu hnh li hot ng log hoc hotng phn tch trn c s kt qu thu c


35/82

Slide #21-35

Examples

Dng lnhswatch cnh bo v telnets/telnet/&!/localhost/&!/*.site.com/ mail staff

3 ln ng nhp tht bi s kha ti khonngi dngNotifier disables account, notifies sysadmin


36/82

Slide #21-36

Thit k h thng kim sot

L thnh phn c bn ca c ch an ninh

Mc tiu kim sot s xc nh nhng g c ghi

nhn: Idea: auditors want to detect violations of policy, whichprovides a set of constraints that the set of possible

actions must satisfy

So, audit functions that may violate the constraints Constraintpi : actioncondition


37/82

Slide #21-37

Example: Bell-LaPadula

Simple security condition and *-property Sreads OL(S) L(O)

Swrites OL(S) L(O) kim tra vi phm, khi din ra cc hot ng c/ghi,phi ghi nhnL(S),L(O), hnh ng (read, write), v ktqu (success, failure)

Note: need notrecord S, O! In practice, done to identify the object of the (attempted)violation and the user attempting the violation


38/82

Slide #21-38

Cc vn trong thc thi

Ch ra trng thi h thng khng an ton hay kimsot cc vi phm?

Former requires logging initial state as well as changes Xc nh vi phm Does write include append and create directory?

i tng c nhiu tn Logging goes by objectand not name

Representations can affect this (if you read raw disks,youre reading files; can your auditing systemdetermine which file?)


39/82

Slide #21-39

Vn v c php

D liu c ghi nhn c th khng r rngBSM: two optional text fields followed by two

mandatory text fieldsIf three fields, which of the optional fields is

omitted?

Gii php: S dng ng php m boc php ca cc file logs


40/82

Slide #21-40

Example

entry : date host prog [ bad ] user [ from host ] to

user on tty

date : daytime

host : string

prog : string :

bad : FAILED

user : string

tty : /dev/ string

Log file entry format defined unambiguously

Audit mechanism could scan, interpret entries withoutconfusion


41/82

Slide #21-41

More Syntactic Issues

Ng cnhUnknown user uses anonymousftp to retrieve

file /etc/passwdLogged as suchProblem: which /etc/passwd file?

One in system /etc directory

One in anonymousftp directory /var/ftp/etc, and asftp thinks /var/ftp is the root directory, /etc/passwdrefers to /var/ftp/etc/passwd


42/82

Slide #21-42

Lm sch Log

Utp ngi dng,Pchnh sch nh ngha tp thng tinC(U) m Ukhng th truy cp; Log c lm sch khi ttc thng tin trong C(U) c xa t log

Hai loi chnh sch C(U) cant leave site People inside site are trusted and information not sensitive to them

C(U) cant leave system People inside site not trusted or (more commonly) information

sensitive to them Dont log this sensitive information


43/82

Slide #21-43

T chc Logs

S trn: Ngn chn thng tin tit l ra khi site Users privacy not protected from system administrators, other administrative

personnel S di: Ngn chn thng tin tit l ra khi h thng

Data simply not recorded, or data scrambled before recording

Logging system Log UsersSanitizer

Logging system Log UsersSanitizer


44/82

Slide #21-44

Ti to

Anonymizing sanitizer: B lm sch khngth khi phc

No way to recover data from this Pseudonymizing sanitizer:C th khi phc

Original log can be reconstructed

ImportanceSuppose security analysis requires access to

information that was sanitized?


45/82

Slide #21-45

Vn

Mu cht: Lm sch log phi gi li ccc c im cn thit phn tch an ninh

Nu cc thuc tnh mi c thm vo (dothay i trong qu trnh phn tch), c thphi lm sch li thng tin

This requires pseudonymous sanitization or theoriginal log


46/82

Slide #21-46

Example

Mt cng ty mun gi b mt a ch IP, nhngmun chuyn gia t vn phn tch logs xcminh tn cng qut a ch. Connections to port 25 on IP addresses 10.163.5.10,

10.163.5.11, 10.163.5.12, 10.163.5.13, 10.163.5.14,10.163.5.15

Sanitize with random IP addresses

Cannot see sweep through consecutive IP addresses Sanitize with sequential IP addresses

Can see sweep through consecutive IP addresses


47/82

Slide #21-47

To cc d liu gi

1. To ra tp cc d liu gi thay th cho cc d liu nhycm (gi c cc tnh cht cn thit cho phn tch) Replace data with pseudonyms

Maintain table mapping pseudonyms to data

2. Dng mt kha ngu nhin m ha d liu nhy cm vdng phng php chia s b mt chia s kha Used when insiders cannot see unsanitized data, but outsiders (law

enforcement) need to Requires tout ofn people to read data


48/82

Slide #21-48

Application Logging

Applications logs: To bi cc ng dngApplications control what is logged

Typically use high-level abstractions such as:su: bishop to root on /dev/ttyp0

smtp: delivery failed; could not connect to

abcxy.net:25

Does not include detailed, system call levelinformation such as results, parameters, etc.


49/82

Slide #21-49

System Logging

Ghi nhn cc s kin ca h thng (e.g cc hnh ng caHH) Typically use low-level events

3876 ktrace CALL execve(0xbfbff0c0,0xbfbff5cc,0xbfbff5d8)

3876 ktrace NAMI "/usr/bin/su"

3876 ktrace NAMI "/usr/libexec/ld-elf.so.1"

3876 su RET xecve 0

3876 su CALL __sysctl(0xbfbff47c,0x2,0x2805c928,0xbfbff478,0,0)

3876 su RET __sysctl 0

3876 su CALL mmap(0,0x8000,0x3,0x1002,0xffffffff,0,0,0)

3876 su RET mmap 671473664/0x2805e000

3876 su CALL geteuid

3876 su RET geteuid 0

Does not include high-level abstractions such as loading libraries(as above)


50/82

Slide #21-50

So snh

C trng tm gim st khc nhau Application logging focuses on application events, like failure to

supply proper password, and the broad operation (what was thereason for the access attempt?)

System logging focuses on system events, like memory mapping orfile accesses, and the underlying causes (why did access fail?)

System logs thng ln hn nhiu so vi application logs C th thc hin c 2 v xy dng tng quan gia chng


51/82

Slide #21-51

Design

A posterioridesign: Thit k sau Cn thit k c ch kim sot cho cc h thng c

xy dng m cha ch trng ti an ninh.

Mc tiu ca kim sot Pht hin ra bt k s vi phm chnh sch no

Focus is on policy and actions designed to violate policy;specific actions may not be known

Pht hin ra cc hnh ng lin quan ti n lc xmphm an ninh Focus on specific actions that have been determined to indicate

attacks


52/82

Slide #21-52

Pht hin vic vi pham chnh sch

Mc tiu: H thng c chuyn ti 1 trngthi khng c php khng?

Hai dng thcState-based auditing

Look at current state of system

Transition-based auditing Look at actions that transition system from one state

to another


53/82

Slide #21-53

State-Based Auditing

Ghi nhn thng tin v trng thi v xc nhnu trng thi l c php

Assumption: you can get a snapshot of systemstateSnapshot needs to be consistentNon-distributed system needs to be quiescent

Distributed system can use some algorithms, toobtain this


54/82

Slide #21-54

Example

Cng c kim sot h thng fileThought of as analyzing single state (snapshot)

In reality, analyze many slices of different stateunless file system quiescentPotential problem: if test at end depends on

result of test at beginning, relevant parts of

system state may have changed between thefirst test and the last

Classic TOCTTOU flaw


55/82

Slide #21-55

Transition-Based Auditing

Ghi nhn thng tin v hnh ng, v kimtra trng thi hin ti + thao tc chuyn

xc nh xem trng thi mi c c php?Note: just analyzing the transition may not be

enough; you may need the initial state

Tend to use this when specific transitionsalways require analysis (for example, change ofprivilege)


56/82

Slide #21-56

Example

C ch kim sot kt ni TCP can thip cckt ni TCP v kim tra xem c nm trong

danh sch kt ni b cm khngObtains IP address of source of connection

Logs IP address, port, and result

(allowed/blocked) in log filePurely transition-based (current state not

analyzed at all)


57/82

Slide #21-57

Pht hin cc hnh ng xm phm

Mc tiu: Xc nh xem hnh ng cbit l vi phm an ninh c xut hin khng?

Assume that action automatically violatespolicy

Policy may be implicit, not explicit

Used to look for known attacks


58/82

Slide #21-58

Example

Land attack: Tn cng DOS da trn l hng TCP Consider 3-way handshake to initiate TCP connection

(next slide)

What happens if source, destination ports and addressesthe same? Host expects ACK(t+1), but gets ACK(s+1).

RFC ambiguous: p. 36 of RFC: send RST to terminate connection

p. 69 of RFC: reply with empty packet having currentsequence numbert+1 and ACK numbers+1but it receivespacket and ACK number is incorrect. So it repeats this system hangs or runs very slowly, depending on whetherinterrupts are disabled


59/82

Slide #21-59

3-Way Handshake and Land

Normal:

1. srcseq =s, expects ACKs+1

2. destseq = t, expects ACKt+1;src gets ACKs+1

3. srcseq =s+1, destseq = t+1;dest gets ACKt+1

Land:

1. srcseq = destseq =s, expectsACKs+1

2. srcseq = destseq = t, expectsACKt+1 but gets ACKs+1

3. Never reached; recovery fromerror in 2 attempted

Source

Destination

SYN(s) ACK(s+1)

SYN(t)ACK(t+1)


60/82

Slide #21-60

Pht hin

Nhn ra gi tin khi to ca tn cng Land c a chngun v ch trng nhau

Yu cu log:

source port number, IP address

destination port number, IP address

Yu cu kim sot: If source port number = destination port number and source IP

address = destination IP address, packet is part of a Land attack


61/82

Slide #21-61

Cc k thut kim sot

Cc h thng s dng cc k thut khc nhauMost common is to log allevents by default,

allow system administrator to disable logging thatis unnecessary

Hai v d:

One audit system designed for a secure systemOne audit system designed for non-secure system


62/82

Slide #21-62

Secure Systems

Cc k thut kim sot c tch hp vo h thnt khu thit k v thc thi

Chuyn gia an ninh h thng c th cu hnh hthng bo co v log: To report specific events To monitor accesses by a subject To monitor accesses to an object

c iu khin bi h thng con kim sot Irrelevant accesses, actions not logged


63/82

Slide #21-63

Example 1: VAX VMM

c thit k thnh 1 h thng SX an ton Audit mechanism had to have minimal impact Audit mechanism had to be very reliable

Nhn ca h thng c phn lp Logging done where events of interest occur Each layer audits accesses to objects it controls

H thng con kim sot x l d liu log t nhn Audit subsystem manages system log Invoked by mechanisms in kernel


64/82

Slide #21-64

H thng con kim sot caVAX

VMM Cc li gi tin trnh s cung cp d liu cho log

Identification of event, result

Auxiliary data depending on event

Callers name

H thng con s kim tra iu kin log If request matcher, data is logged

Criteria are subject or object named in audit table, andseverity level (derived from result)

Adds date and time, other information


65/82

Slide #21-65

Cc vn khc

Mt s s kin lun lun c log Programmer can request event be logged Any attempt to violate policy

Protection violations, login failures logged when they occurrepeatedly

Use of covert channels also logged

Log y

Audit logging process signaled to archive log when logis 75% full If not possible, system stops


66/82

Slide #21-66

Example 2: CMW

CMW - Compartmented Mode Workstation cthit k cho php x l cc cp an ninhkhc nhau

Auditing subsystem keeps table of auditable events

Entries indicate whether logging is turned on, what typeof logging to use

User level command chaudallows user to controlauditing and what is audited If changes affect subjects, objects currently being logged, the

logging completes and then the auditable events are changed


67/82

Slide #21-67

CMW Process Control

Cc li gi h thng cho php tin trnhiu khin vic kim sot

audit_on turns logging on, names log filkeaudit_write validates log entry given asparameter, logs entry if logging for that entry isturned on

audit_suspendsuspends logging temporarilyaudit_resume resumes logging after suspensionaudit_offturns logging off for that process


68/82

Slide #21-68

Li gi h thng

Khi tin trnh thc hin li gi h thng,nu kim sot c bt:

System call recordedFirst 3 parameters recorded (but pointers notfollowed)

Li gi audit_write:

If room in log, append new entryOtherwise halt system, discard new entry, or

disable event that caused logging

Continue to try to log other events


69/82

Slide #21-69

CMW Auditing

Phn tch cc s kin c log: S dng tool(redux)

Chuyn i cc log nh phn sang dng c c Reduxcho php lc cc s kin theo:UsersObjectsSecurity levelsEvents


70/82

Slide #21-70

Non-Secure Systems

C mt s kh nng log hn chLog accounting data, or data for non-security

purposes

Possibly limited security data like failed logins

H thng con kim sot v an ninh thngc thm sau khi h thng hon thin

May not be able to log all events, especially iflimited kernel modifications to support auditsubsystem


71/82

Slide #21-71

Example: Basic Security Module

BSM l h thng tng cng an ninh choHH SunOS, Solaris

Logs composed of records made up of tokens Token contains information about event: user

identity, groups, file system information, network,

system call and result, etc. as appropriate


72/82

Slide #21-72

More About Records

Bn ghi ch tham chiu ti cc s kin c kimsot

Kernel events: opening a file

Application events: failure to authenticate when logging in Nhm cc s kin kim sot thnh cc lp

Before log created: tell system what to generate records for After log created: defined classes control which records

given to analysis tools


73/82

Slide #21-73

Example Record

Logs are binary; this is frompraudit

header,35,AUE_EXIT,Wed Sep 18 11:35:28 1991, + 570000 msec,process,bishop,root,root,daemon,1234,

return,Error 0,5

trailer,35


74/82

Slide #21-74

Hin th thng tin kim sot

Mc tiu: Hin th thng tin t log di dng dhiu v d s dng

L do: Audit mechanisms may miss problems that auditors

will spot

Mechanisms may be unsophisticated or make invalidassumptions about log format or meaning

Logs usually not integrated; often different formats,syntax, etc.


75/82

Slide #21-75

K thut hin th

Text display Does not indicate relationships between events

Hypertext display Indicates local relationships between events Does not indicate global relationships clearly

Relational database browsing DBMS performs correlations, so auditor need not know

in advance what associations are of interest

Preprocessing required, and may limit the associationsDBMS can make


76/82

Slide #21-76

More Browsing Techniques

Replay Shows events occurring in order; if multiple logs,

intermingles entries

GraphingNodes are entities, edges relationships Often too cluttered to show everything, so graphing

selects subsets of events

Slicing Show minimum set of log events affecting object Focuses on local relationships, not global ones


77/82

Slide #21-77

Example: Visual Audit Browser

Frame Visualizer Generates graphical representation of logs

Movie Maker

Generates sequence of graphs, each event creating a new graphsuitably modified

Hypertext Generator Produces page per user, page per modified file, summary and index

pages

Focused Audit Browser Enter node name, displays node, incident edges, and nodes at end

of edges


78/82

Slide #21-78

Example Use

File changedUse focused audit browser

Changed file is initial focus Edges show which processes have altered file

Focus on suspicious process Iterate through nodes until method used to gain

access to system determined

Question: is masquerade occurring?Auditor knows audit UID of attacker


79/82

Slide #21-79

Tracking Attacker

Use hypertext generator to get all audit recordswith that UID

Now examine them for irregular activity

Frame visualizer may help here

Once found, work forward to reconstruct activity

For non-technical people, use movie maker to

show what happened Helpful for law enforcement authorities especially!


80/82

Slide #21-80

Example: MieLog

Computes counts of single words, word pairs Auditor defines threshold count MieLog colors data with counts higher than threshold

Display uses graphics and text together Tag appearance frequency area: colored based on

frequency (e.g., red is rare)

Time information area: bar graph showing number of

log entries in that period of time; click to get entries Outline of message area: outline of log messages,

colored to match tag appearance frequency area

Message in text area: displays log entry under study


81/82

Slide #21-81

Example Use

Auditor notices unexpected gap in timeinformation area

No log entries during that time!?!?

Auditor focuses on log entries before, after gap Wants to know why logging turned off, then turned

back on

Color of words in entries helps auditor find similarentries elsewhere and reconstruct patterns


82/82

Key Points

Logging is collection and recording; audit isanalysis

Need to have clear goals when designing an auditsystem

Auditing should be designed into system, notpatched into system after it is implemented

Browsing through logs helps auditors determinecompleteness of audit (and effectiveness of auditmechanisms!)

Documents

06 Administration&Audit