[804] in Intrusion Detection Systems

home help back first fref pref prev next nref lref last post

Re: Audit trails

daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Wed Dec 11 02:43:58 1996

To: ids@uow.edu.au
In-Reply-To: Your message of "Tue, 26 Nov 1996 07:34:33 CST."
             <Pine.LNX.3.95.961126073317.18656A-100000@underground.error.net> 
Date: Fri, 06 Dec 1996 22:36:06 -0500
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>
Reply-To: ids@uow.edu.au

>  Actually, AIX has quite good auditing features for Unix.  It can include
>  quite a bit of detail, including what commands a particular user is using 
>  and at what time.  Almost noone uses the entire auditing features because
>  it gives too much information and can slow the system response time noticab

Even though it does provide some information it does not provide information which can really be used to
automate tracking. The point I was making was that the following set of
answers is absolutely minimum:

* What was the request  - Audit subsystems log commands. Some log syscalls
* Who made the request  - Audit subsystems log uid/gid/eid/egid. I have not
                          seen anyone which keeps track of users operating
                          as others. For example:

                                user alex and user russ are logged in at the
                                same time
                                alex assumes identity of russ
                                alex with identity of russ, pulls out Xterm
                                ( this is something that I found will confuse
                                systems that try to keep an eye on su's )
                                alex modifies set of files S1
                                russ modifies set of files S2
                                alex works with identity of russ for a while
                                after which releases idenity of russ
                                audit trial shows that S1 and S2 were
                                modified by russ. Oops. ( It was fun to see
                                supposedly B2 secure boxes that could not
                                figure out which files were modified by russ
                                and which files were modified by alex working 
                                as russ )

* Where did the request came from - Usually a controlling tty is being
                                    logged. Bad idea: user can always
                                    deattach a process from a controlling
                                    tty. An ID has to be assigned to every
                                    connection and that ID should be logged
                                    as the source of connection

* Status of a request ( success or failure ) with a reason _why_ request
                                    was denied. Something more meaningful
                                    than "Permission denied" is highly
                                    desirable


Alex
home help back first fref pref prev next nref lref last post