Difference between revisions of "Projects/Audit"
m |
|||
Line 17: | Line 17: | ||
== Events == |
== Events == |
||
− | This section details |
+ | This section details the categories of the auditable events and the associated information. |
;Audit module loaded/unloaded: Startup and shutdown of the audit system must be recorded by audit system; |
;Audit module loaded/unloaded: Startup and shutdown of the audit system must be recorded by audit system; |
||
; KDC started/stopped |
; KDC started/stopped |
||
− | :KDC startup - |
+ | :KDC startup - KDC clockskew, list of realms and ports, location and names of the plugins, the values of allow_weak_crypto, kdc_req_sumtype, default_ap_req_sumtype and default_safe_sumtype from configuration files; |
+ | :KDC stopped - no additional information; |
||
;AS exchange: |
;AS exchange: |
||
− | : |
+ | :authentication time and kdc time timestamps, parsed client and server names, port number, ticket start, end and renew until times and flags, requested enckey types , used session enckey type, pre-auth type used, KDC status message; |
− | :AS done (success): parsed client and server names, port number, ktypes and flags, ticket start, end and renew until times, authentication time and kdc time timestamps, session enckey type, rep_srv_data, pre-auth type used, KDC status message, |
||
;TGS exchange: |
;TGS exchange: |
||
− | :Successful or unsuccessful attempt; |
||
+ | :Successful or unsuccessful attempt - authentication time and kdc time timestamps, parsed client, server, 2nd client and s4u names, port number, client's enckey types and flags, used session enckey type, is referral, KDC status message; |
||
:Alternative TGS; |
:Alternative TGS; |
||
;Session keys: |
;Session keys: |
||
Line 44: | Line 44: | ||
kau_kdc_start_fn kdc_start; |
kau_kdc_start_fn kdc_start; |
||
kau_kdc_stop_fn kdc_stop; |
kau_kdc_stop_fn kdc_stop; |
||
− | kau_as_req_attempt_fn as_req_attempt; |
||
+ | kau_as_req_fn as_req; |
||
− | kau_as_req_done_fn as_req_done; |
||
+ | kau_tgs_fn tgs; |
||
− | kau_tgs_fn tgs; |
||
kau_tgs_alt_fn tgs_alt; |
kau_tgs_alt_fn tgs_alt; |
||
kau_sesskey_as_generated_fn sesskey_as_generated; |
kau_sesskey_as_generated_fn sesskey_as_generated; |
||
Line 53: | Line 52: | ||
kau_sesskey_tgs_cleared_fn sesskey_tgs_cleared; |
kau_sesskey_tgs_cleared_fn sesskey_tgs_cleared; |
||
} *krb5_audit_vtable; |
} *krb5_audit_vtable; |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_open_fn)(krb5_context context , kau_ctx *au_ctx); |
(*kau_open_fn)(krb5_context context , kau_ctx *au_ctx); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_close_fn)(krb5_context context, kau_ctx au_ctx); |
(*kau_close_fn)(krb5_context context, kau_ctx au_ctx); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_kdc_stop_fn)(krb5_context context, kau_ctx au_ctx, krb5_error_code status); |
(*kau_kdc_stop_fn)(krb5_context context, kau_ctx au_ctx, krb5_error_code status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_kdc_start_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_kdc_start_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | krb5_deltat clockskew, |
+ | krb5_deltat clockskew, const char *realm_port, |
− | + | krb5_boolean allow_weak_crypto, |
|
const char *plugins, const char *plugin_dir, |
const char *plugins, const char *plugin_dir, |
||
krb5_cksumtype kdc_req_sumtype, |
krb5_cksumtype kdc_req_sumtype, |
||
Line 72: | Line 71: | ||
krb5_cksumtype default_safe_sumtype, |
krb5_cksumtype default_safe_sumtype, |
||
int status); |
int status); |
||
− | |||
+ | |||
− | typedef krb5_error_code |
||
− | (*kau_as_req_attempt_fn)(krb5_context context, kau_ctx au_ctx, |
||
− | const char *cname, const char *sname, const char *status_msg, |
||
− | const int from_port, const char * ktypes, |
||
− | krb5_flags flags, |
||
− | krb5_deltat start_time, krb5_deltat endtime, |
||
− | char *rep_srv_data, int patype, |
||
− | krb5_error_code status); |
||
− | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
− | (* |
+ | (*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx, |
krb5_timestamp authtime, krb5_timestamp kdc_time, |
krb5_timestamp authtime, krb5_timestamp kdc_time, |
||
const char *cname, const char *sname, const char *status_msg, |
const char *cname, const char *sname, const char *status_msg, |
||
const int from_port, krb5_flags flags, |
const int from_port, krb5_flags flags, |
||
− | const char *ktypes, krb5_enctype |
+ | const char *ktypes, krb5_enctype session_key_etype, |
krb5_deltat tkt_start_time, krb5_deltat tkt_end_time, |
krb5_deltat tkt_start_time, krb5_deltat tkt_end_time, |
||
− | krb5_deltat tkt_renew_till, |
+ | krb5_deltat tkt_renew_till, int patype, |
− | char *rep_srv_data, int patype, |
||
krb5_error_code status); |
krb5_error_code status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_tgs_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_tgs_fn)(krb5_context context, kau_ctx au_ctx, |
||
Line 98: | Line 88: | ||
const char *altcname, const char *s4u_name, |
const char *altcname, const char *s4u_name, |
||
krb5_flags flags, const char *status_msg, |
krb5_flags flags, const char *status_msg, |
||
− | const int from_port, |
+ | const int from_port, |
+ | const char * ktypes_buf, krb5_enctype session_key_etype, |
||
const int is_referral, krb5_error_code status); |
const int is_referral, krb5_error_code status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_tgs_alt_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_tgs_alt_fn)(krb5_context context, kau_ctx au_ctx, |
||
const char *sname, krb5_error_code status); |
const char *sname, krb5_error_code status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx, |
||
Line 112: | Line 102: | ||
krb5_enctype used_ktype, |
krb5_enctype used_ktype, |
||
krb5_error_code status); |
krb5_error_code status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_as_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_as_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
||
Line 119: | Line 109: | ||
const int from_port, krb5_enctype used_ktype, |
const int from_port, krb5_enctype used_ktype, |
||
krb5_error_code status); |
krb5_error_code status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_tgs_generated_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_tgs_generated_fn)(krb5_context context, kau_ctx au_ctx, |
||
Line 126: | Line 116: | ||
const char *ktypes, krb5_enctype used_ktype, |
const char *ktypes, krb5_enctype used_ktype, |
||
krb5_error_code status); |
krb5_error_code status); |
||
− | |||
+ | |||
typedef krb5_error_code |
typedef krb5_error_code |
||
(*kau_sesskey_tgs_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
(*kau_sesskey_tgs_cleared_fn)(krb5_context context, kau_ctx au_ctx, |
||
Line 148: | Line 138: | ||
kau_kdc_stop(krb5_context context, krb5_error_code status); |
kau_kdc_stop(krb5_context context, krb5_error_code status); |
||
− | /* AS exchange: |
+ | /* AS exchange: Successful or unsuccessful attempt */ |
− | krb5_error_code |
||
− | kau_as_req_done(krb5_context context, struct as_req_state *state, krb5_error_code status); |
||
krb5_error_code |
krb5_error_code |
||
− | kau_as_req_attempt(krb5_context context, struct as_req_state *state, krb5_error_code status); |
||
+ | kau_as_req(krb5_context context, |
||
+ | struct as_req_state *state, |
||
+ | krb5_error_code status); |
||
/* TGS exchange: Successful or unsuccessful attempt and alternative TGS */ |
/* TGS exchange: Successful or unsuccessful attempt and alternative TGS */ |
||
krb5_error_code |
krb5_error_code |
||
− | kau_tgs(krb5_context context, |
+ | kau_tgs(krb5_context context, |
+ | struct tgs_req_audit_state *state, |
||
+ | krb5_error_code status); |
||
krb5_error_code |
krb5_error_code |
||
− | kau_tgs_alt(krb5_context context, |
+ | kau_tgs_alt(krb5_context context, |
+ | struct tgs_req_audit_state *state, |
||
+ | krb5_error_code status); |
||
/* Session key generation and cleaning them up */ |
/* Session key generation and cleaning them up */ |
||
krb5_error_code |
krb5_error_code |
||
− | kau_sesskey_as_generated(krb5_context context, |
+ | kau_sesskey_as_generated(krb5_context context, |
+ | struct as_req_state *state, |
||
+ | krb5_error_code status); |
||
krb5_error_code |
krb5_error_code |
||
− | kau_sesskey_as_cleared(krb5_context context, |
+ | kau_sesskey_as_cleared(krb5_context context, |
+ | struct as_req_state *state, |
||
+ | krb5_error_code status); |
||
krb5_error_code |
krb5_error_code |
||
− | kau_sesskey_tgs_generated(krb5_context context, |
+ | kau_sesskey_tgs_generated(krb5_context context, |
+ | struct tgs_req_audit_state *state, |
||
+ | krb5_error_code status); |
||
krb5_error_code |
krb5_error_code |
||
− | kau_sesskey_tgs_cleared(krb5_context context, |
+ | kau_sesskey_tgs_cleared(krb5_context context, |
+ | struct tgs_req_audit_state *state, |
||
+ | krb5_error_code status); |
||
/* Policy driven events - TBD */ |
/* Policy driven events - TBD */ |
||
Line 181: | Line 173: | ||
;--enable-audit[=yes/no]: Enable audit plugin. By default at build time audit is disabled. |
;--enable-audit[=yes/no]: Enable audit plugin. By default at build time audit is disabled. |
||
− | ;--with-audit-plugin=simple: (For demo and testing purposes) Build the audit plugin "simple". |
+ | ;--with-audit-plugin=simple: (For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin. |
Line 192: | Line 184: | ||
== References == |
== References == |
||
− | # |
+ | # Common Criteria for Information Technology Security Evaluation http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf |
− | # |
+ | # Oracle Solaris Auditing http://docs.oracle.com/cd/E19963-01/html/821-1456/auditov-1.html |
− | # |
+ | # Understanding Linux Audit http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html |
− | # |
+ | # Advanced Security Audit Policy Settings http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx |
+ | # Events Classification in Log Audit http://airccse.org/journal/nsa/0410ijnsa5.pdf |
Revision as of 15:44, 10 October 2012
Contents
Purpose
The focus of this project will be on creating an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. The initial set of the audible events will be identified.
Requirements
The new audit system should be:
- build-time enabled;
- run-time pluggable;
- simple, so it could be easily replaced with the OS specific implementations;
- if possible, prepare i18n- and l10n-ready log messages.
Events
This section details the categories of the auditable events and the associated information.
- Audit module loaded/unloaded
- Startup and shutdown of the audit system must be recorded by audit system;
- KDC started/stopped
- KDC startup - KDC clockskew, list of realms and ports, location and names of the plugins, the values of allow_weak_crypto, kdc_req_sumtype, default_ap_req_sumtype and default_safe_sumtype from configuration files;
- KDC stopped - no additional information;
- AS exchange
- authentication time and kdc time timestamps, parsed client and server names, port number, ticket start, end and renew until times and flags, requested enckey types , used session enckey type, pre-auth type used, KDC status message;
- TGS exchange
- Successful or unsuccessful attempt - authentication time and kdc time timestamps, parsed client, server, 2nd client and s4u names, port number, client's enckey types and flags, used session enckey type, is referral, KDC status message;
- Alternative TGS;
- Session keys
- AS and TGS exchange session key generation;
- AS and TGS exchange session key cleaning;
- Policy
- Policies violation when processing requests - TBD;
Design details
Pluggable interface
/* Audit plugin vtable */ typedef struct krb5_audit_vtable_st { /* Mandatory: name of module. */ char *name; kau_open_fn open; kau_close_fn close; kau_kdc_start_fn kdc_start; kau_kdc_stop_fn kdc_stop; kau_as_req_fn as_req; kau_tgs_fn tgs; kau_tgs_alt_fn tgs_alt; kau_sesskey_as_generated_fn sesskey_as_generated; kau_sesskey_as_cleared_fn sesskey_as_cleared; kau_sesskey_tgs_generated_fn sesskey_tgs_generated; kau_sesskey_tgs_cleared_fn sesskey_tgs_cleared; } *krb5_audit_vtable; typedef krb5_error_code (*kau_open_fn)(krb5_context context , kau_ctx *au_ctx); typedef krb5_error_code (*kau_close_fn)(krb5_context context, kau_ctx au_ctx); typedef krb5_error_code (*kau_kdc_stop_fn)(krb5_context context, kau_ctx au_ctx, krb5_error_code status); typedef krb5_error_code (*kau_kdc_start_fn)(krb5_context context, kau_ctx au_ctx, krb5_deltat clockskew, const char *realm_port, krb5_boolean allow_weak_crypto, const char *plugins, const char *plugin_dir, krb5_cksumtype kdc_req_sumtype, krb5_cksumtype default_ap_req_sumtype, krb5_cksumtype default_safe_sumtype, int status); typedef krb5_error_code (*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx, krb5_timestamp authtime, krb5_timestamp kdc_time, const char *cname, const char *sname, const char *status_msg, const int from_port, krb5_flags flags, const char *ktypes, krb5_enctype session_key_etype, krb5_deltat tkt_start_time, krb5_deltat tkt_end_time, krb5_deltat tkt_renew_till, int patype, krb5_error_code status); typedef krb5_error_code (*kau_tgs_fn)(krb5_context context, kau_ctx au_ctx, krb5_timestamp authtime, krb5_timestamp kdc_time, const char *cname, const char *sname, const char *altcname, const char *s4u_name, krb5_flags flags, const char *status_msg, const int from_port, const char * ktypes_buf, krb5_enctype session_key_etype, const int is_referral, krb5_error_code status); typedef krb5_error_code (*kau_tgs_alt_fn)(krb5_context context, kau_ctx au_ctx, const char *sname, krb5_error_code status); typedef krb5_error_code (*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const char *status_msg, const int from_port, const char * ktypes, krb5_enctype used_ktype, krb5_error_code status); typedef krb5_error_code (*kau_sesskey_as_cleared_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const char *status_msg, const int from_port, krb5_enctype used_ktype, krb5_error_code status); typedef krb5_error_code (*kau_sesskey_tgs_generated_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const char *status_msg, const int from_port, const char *ktypes, krb5_enctype used_ktype, krb5_error_code status); typedef krb5_error_code (*kau_sesskey_tgs_cleared_fn)(krb5_context context, kau_ctx au_ctx, const char *cname, const char *sname, const char *status_msg, const int from_port, krb5_enctype used_ktype, krb5_error_code status);
API signatures
/* Audit plugin loaded/unloaded */ krb5_error_code load_audit_plugin(krb5_context context); krb5_error_code unload_audit_plugin(krb5_context context);
/* KDC started /stopped */ krb5_error_code kau_kdc_start(krb5_context context, int status); krb5_error_code kau_kdc_stop(krb5_context context, krb5_error_code status);
/* AS exchange: Successful or unsuccessful attempt */ krb5_error_code kau_as_req(krb5_context context, struct as_req_state *state, krb5_error_code status);
/* TGS exchange: Successful or unsuccessful attempt and alternative TGS */ krb5_error_code kau_tgs(krb5_context context, struct tgs_req_audit_state *state, krb5_error_code status); krb5_error_code kau_tgs_alt(krb5_context context, struct tgs_req_audit_state *state, krb5_error_code status);
/* Session key generation and cleaning them up */ krb5_error_code kau_sesskey_as_generated(krb5_context context, struct as_req_state *state, krb5_error_code status); krb5_error_code kau_sesskey_as_cleared(krb5_context context, struct as_req_state *state, krb5_error_code status); krb5_error_code kau_sesskey_tgs_generated(krb5_context context, struct tgs_req_audit_state *state, krb5_error_code status); krb5_error_code kau_sesskey_tgs_cleared(krb5_context context, struct tgs_req_audit_state *state, krb5_error_code status);
/* Policy driven events - TBD */ krb5_error_code kau_policy(krb5_context context, ... , krb5_error_code status);
/* Name of audit module */ krb5_error_code kau_plugin_name(krb5_context context, char **name);
Configuration
The following ./configure options are added:
- --enable-audit[=yes/no]
- Enable audit plugin. By default at build time audit is disabled.
- --with-audit-plugin=simple
- (For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin.
Test implementation
We will use libaudit module available on Fedora, Debian, Suse for the first round.
Some "simple" audit plugin will be implemented and Python test system will become aware of its existence. New ./configure --with-audit-plugin option will be introduced to build "simple" audit plugin for testing purpose. If audit is enabled and audit plugin is available, "make check" will store audit messages into audit log file.
References
- Common Criteria for Information Technology Security Evaluation http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf
- Oracle Solaris Auditing http://docs.oracle.com/cd/E19963-01/html/821-1456/auditov-1.html
- Understanding Linux Audit http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html
- Advanced Security Audit Policy Settings http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx
- Events Classification in Log Audit http://airccse.org/journal/nsa/0410ijnsa5.pdf