Re: [PATCH] Audit: Add TTY input auditing

On Thursday 07 June 2007 11:42, Casey Schaufler wrote:
> > tools like rootsh, but that is too easy to detect and defeat. And then it
> > does not put its data into the audit system where its correlated with
> > other system events.
>
> The evaluation teams that I have worked with (OrangeBook and CC)
> as well as their technical advisory groups have always been clear
> that keyboard logging is not an appropriate mechanism for security
> audit logging. There is insufficient correlation between what is
> typed and security relevent actions for keyboard (or mouse event)
> logging to meet the audit requirements.

Ok, this is a sample set of requirements we are trying to meet:

Implement automated audit trails for all system components to reconstruct the 
following events:
  All actions taken by any individual with root or administrative privileges

If we do not get commands typed at a prompt, we have to audit by execve. 
Auditing execve for uid = 0 produces millions of events since that includes 
daemons. If we get clever and restrict auditing to events for root uid and 
auid >= 500, we still wind up with millions of events because of shell 
scripts. 

People in control of some of these security targets said to me that auditing 
by execve cannot be the solution, because the audit trail becomes too big, 
unwieldy, full of irrelavent events, and not easily analysed. So, that 
approach does not work for people either.

Casey, so what approach would you take to meet the requirement?

> You have to log what happened.

Which can be done by auditing for execution of specific apps or watching 
access to certain files. So, I don't see tty auditing as something that 
replaces other auditing, it allows us to form a better picture of what 
happened to the system.

> Logging what was requested is insufficient and logging what was
> typed, which may or may not have resulted in an actual request is
> not helpful to meeting security audit requirements.

I would disagree. Its helpful to complete the picture of what's happening on 
the system.

-Steve
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: [PATCH] Audit: Add TTY input auditing
    • From: Casey Schaufler <[email protected]>

• References:
  • Re: [PATCH] Audit: Add TTY input auditing
    • From: Casey Schaufler <[email protected]>

• Prev by Date: Re: [PATCH] Make smp_call_function{_single} go WARNING and return -EINVAL on !SMP (was Re: [PATCH] i386/x86_64: NMI watchdog: Protect smp_call_function() within CONFIG_SMP)
• Next by Date: Re: 2.6.22-rc4-mm1
• Previous by thread: Re: [PATCH] Audit: Add TTY input auditing
• Next by thread: Re: [PATCH] Audit: Add TTY input auditing
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]