TrustedBSD Auditing Facilities (was RE: FreeBSD usage in safety-c ritical environments)

John Howie JHowie at securitytoolkit.com
Fri Oct 11 16:38:48 GMT 2002


Andrew,

Key wording in the Orange Book is: The TCB shall be able to create,
maintain, and protect from modification or unauthorized access or
destruction an audit trail of accesses to the objects it protects.

I am not aware of any language that says you must direct-write audit
records to disk but conceivably any write-buffered (lazy writing) scheme
could be construed as violating the requirement expressed in the Orange
Book. This means that even if you choose not to buffer audit records in
memory you have to be sure that the filesystem and disk drivers are not
going to buffer writes to the disk for audit records.

Microsoft have a means to disable write-buffering on a per-file basis
and I assume that this is what they do for the Windows Event Logs -
performance takes a big hit when you start aggressively auditing
security-related events. SQL Server, I believe, is the same except that
it will prevent anyone from reading the audit log until it is full and
the server has rolled over to the next file. It is worth noting that
versions of both Windows and SQL Server have been submitted for
evaluation and received certification.

I'm not suggesting we implement a Microsoft-like scheme, but just
providing these for comparison purposes.

John

-----Original Message-----
From: owner-trustedbsd-discuss at cyrus.watson.org
[mailto:owner-trustedbsd-discuss at cyrus.watson.org] On Behalf Of Andrew
R. Reiter
Sent: Friday, October 11, 2002 7:42 AM
To: Nelson, Trent .
Cc: 'Robert Watson'; 'trustedbsd-audit at trustedbsd.org';
'trustedbsd-discuss at trustedbsd.org'
Subject: Re: TrustedBSD Auditing Facilities (was RE: FreeBSD usage in
safety-c ritical environments)

 [...deleted...]

Thanks for the URLs.  Something that caught my attention was that they
do
buffered flushes of in-memory audit records in order to push them to
disk.
I had done the same thing with that last basis of the audit code I did,
but after a discussion with a coworker, he sort of convinced me that
buffered writes were a violation of a few standards -- can anyone shed
any
light on this?

I also found their implementation notes section on syscalls that have
the
possibility of not generating audit events a good thing to recognize.

Thanks again,
Andrew

--
Andrew R. Reiter
arr at watson.org
arr at FreeBSD.org


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message



More information about the trustedbsd-audit mailing list