Audit specifications
paleph at pacbell.net
paleph at pacbell.net
Thu Jan 31 20:24:58 GMT 2002
Andrew
I implemented the audit subsystem (kernel and userspace) for Solaris 2.*.
> - Did you use a standard to base your work off of?
> - If so, which standard? Pluses and minuses to the spec. used?
No. There were no standards when I did the work for Sun.
We followed the POSIX efforts at the beginning then decided
that we didn't have time to wait for closure.
The major problem we saw that each POSIX meeting resulted
in a new design; each company wanted their implementation
to be the standard. I understand the same thing happened
with the other security subgroups. I personally consider
POSIX mostly dead. There are only 3 standards: microsoft,
linux, and Solaris (to some extent).
> - If not, in what manner did you base your work off of?
> - Personal experience? What others have done?
SunOS already had an audit package. However, we decided not
to move it to Solaris due to it's design and implementation limitations.
We redid everything from scratch based on an initial set of
requirements:
1. auditing needed to meet requirements of orange book and CMW
2. auditing subsystem needed to be portable over CMW, a (now dead)
MLS project, and Solaris 2.*. We wanted to maintain code for only
one audit subsystem. Modularity was thus high on our list of
requirements.
3. Needed to be invisible to the user. The SunOS audit code, for
example, disabled the fchdir(2) and fchroot(2) system calls.
It also did not handle chroot properly and had problems with
fchdir and fchmod.
4. auditing should not degrade performance significantly
5. auditing implementation should not be intrusive to the kernel or
utilities. The original SunOS audit code had about 600 places where
it interacted with the kernel. In Solaris we reduced this to about
50.
6. An audit record should be able to completely describe an event.
This was to simplify audit record analysis.
Hard parts: STREAMS presented the most difficult problems since we
had to maintain state across system calls. Auditing of ioctl(2)
operations were also messy and caused problems. Solaris also supported
loadable system calls which we never handled well. Another area where
we had problems was with system administration. A big part of the
UNIX system is designed to be administrated via vi. These
operations were not easy to audit.
The major problem was support; we were constantly being surprised by
changes to the kernel and utilities. Things would silently stop being
audited due to some kernel or application change so we were constantly
doing bug fixes as we discovered these problems.
We also started to investigate better non-attributable audit record
generation due to network and IPv6/IPsec operations.
------
Paul Fronberg
paleph at pacbell.net
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list