logo_kerberos.gif

Difference between revisions of "Projects/Audit"

From K5Wiki
Jump to: navigation, search
Line 24: Line 24:
 
:KDC stopped - no additional information;
 
:KDC stopped - no additional information;
 
;AS exchange:
 
;AS exchange:
:kdc time timestamps,client's and server's flags and unparsed names, port number, ticket start, end and renew until times and flags, requested enckey types and used session enckey type, pre-auth type requested and used, KDC status message;
+
:kdc time timestamp,client's and server's flags and unparsed names, port number, ticket start, end and renew until times and flags, requested enckey types and used session enckey type, pre-auth type requested and used, KDC status message;
 
;TGS exchange:
 
;TGS exchange:
:Successful or unsuccessful attempt - kdc time timestamps, unparsed client, server, 2nd client and s4u names, port number, client's enckey types and flags, used session enckey type, is referral, KDC status message;
 
  +
:TGS
:Alternative TGS;
 
 
::Successful or unsuccessful attempt - kdc time and authtime timestamps, unparsed client, server, 2nd client and s4u names, port number, client's enckey types and flags, used session enckey type, is referral, is constrained delegation, is protocol transition, was ticket renewed, KDC status message;
:Cross-realm TGS;
+
:Alternative TGS
  +
::Successful or unsuccessful attempt - kdc time and authtime timestamps, unparsed client, server and alternate server, KDC status message;
  +
:Cross-realm TGS
  +
::Successful or unsuccessful attempt - kdc time and authtime timestamps, unparsed client, server, cross-realm, KDC status message;
 
:U2U TGS
 
:U2U TGS
  +
::Successful attempt - kdc time and authtime timestamps, unparsed client, server and second client, KDC status message
 
;Session keys:
 
;Session keys:
 
: AS and TGS exchange session key generation;
 
: AS and TGS exchange session key generation;
 
: AS and TGS exchange session key cleaning;
 
: AS and TGS exchange session key cleaning;
 
;Policy: Policies violation when processing requests - TBD;
 
;Policy: Policies violation when processing requests - TBD;
  +
:AS request
  +
:TGS request
  +
:S4U2PROXY request
  +
   
 
== Design details ==
 
== Design details ==
Line 56: Line 61:
 
kau_sesskey_tgs_generated_fn sesskey_tgs_generated;
 
kau_sesskey_tgs_generated_fn sesskey_tgs_generated;
 
kau_sesskey_tgs_cleared_fn sesskey_tgs_cleared;
 
kau_sesskey_tgs_cleared_fn sesskey_tgs_cleared;
  +
kau_policy_as_req_fn policy_as_req;
  +
kau_policy_tgs_req_fn policy_tgs_req;
  +
kau_policy_s4u2proxy_req_fn policy_s4u2proxy_req;
 
} *krb5_audit_vtable;
 
} *krb5_audit_vtable;
 
 
Line 63: Line 71:
 
typedef krb5_error_code
 
typedef krb5_error_code
 
(*kau_close_fn)(krb5_context context, kau_ctx au_ctx);
 
(*kau_close_fn)(krb5_context context, kau_ctx au_ctx);
 
typedef krb5_error_code
 
(*kau_kdc_stop_fn)(krb5_context context, kau_ctx au_ctx, krb5_error_code status);
 
 
 
 
typedef krb5_error_code
 
typedef krb5_error_code
Line 76: Line 81:
 
krb5_cksumtype default_safe_sumtype, int status);
 
krb5_cksumtype default_safe_sumtype, int status);
 
 
 
typedef krb5_error_code
 
(*kau_kdc_stop_fn)(krb5_context context, kau_ctx au_ctx, krb5_error_code status);
  +
 
typedef krb5_error_code
 
typedef krb5_error_code
 
(*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx,
 
(*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx,
Line 89: Line 97:
 
typedef krb5_error_code
 
typedef krb5_error_code
 
(*kau_tgs_fn)(krb5_context context, kau_ctx au_ctx,
 
(*kau_tgs_fn)(krb5_context context, kau_ctx au_ctx,
krb5_timestamp kdc_time, const char *status_msg,
+
krb5_timestamp kdc_time, krb5_timestamp authtime, const char *status_msg,
 
const char *cname, const char *sname,
 
const char *cname, const char *sname,
 
const char *altcname, const char *s4u_name,
 
const char *altcname, const char *s4u_name,
Line 95: Line 103:
 
const int from_port,
 
const int from_port,
 
const char * ktypes_buf, krb5_enctype session_key_etype,
 
const char * ktypes_buf, krb5_enctype session_key_etype,
const int is_referral, int status);
+
const int tkt_renewed,
  +
const int is_referral, const int is_constrained,
  +
const int is_transition, int status);
 
 
 
typedef krb5_error_code
 
typedef krb5_error_code
 
(*kau_tgs_alt_fn)(krb5_context context, kau_ctx au_ctx,
 
(*kau_tgs_alt_fn)(krb5_context context, kau_ctx au_ctx,
krb5_timestamp kdc_time, const char *kdc_status,
+
krb5_timestamp kdc_time, krb5_timestamp authtime, const char *kdc_status,
 
const char *cname, const char *sname,
 
const char *cname, const char *sname,
 
krb5_flags c_flags, krb5_flags s_flags,
 
krb5_flags c_flags, krb5_flags s_flags,
Line 106: Line 114:
 
typedef krb5_error_code
 
typedef krb5_error_code
 
(*kau_tgs_u2u_fn)(krb5_context context, kau_ctx au_ctx,
 
(*kau_tgs_u2u_fn)(krb5_context context, kau_ctx au_ctx,
krb5_timestamp kdc_time, const char *kdc_status,
+
krb5_timestamp kdc_time, krb5_timestamp authtime, const char *kdc_status,
 
const char *cname, const char *sname,
 
const char *cname, const char *sname,
 
krb5_flags c_flags, krb5_flags s_flags,
 
krb5_flags c_flags, krb5_flags s_flags,
Line 113: Line 121:
 
typedef krb5_error_code
 
typedef krb5_error_code
 
(*kau_tgs_xrealm_fn)(krb5_context context, kau_ctx au_ctx,
 
(*kau_tgs_xrealm_fn)(krb5_context context, kau_ctx au_ctx,
krb5_timestamp kdc_time, const char *kdc_status,
+
krb5_timestamp kdc_time, krb5_timestamp authtime, const char *kdc_status,
 
const char *cname, const char *sname,
 
const char *cname, const char *sname,
 
krb5_flags c_flags, krb5_flags s_flags,
 
krb5_flags c_flags, krb5_flags s_flags,
const int from_port, const char *xrealmsrv, int status);
+
const int from_port, const char *xrealm, int status);
+
 
typedef krb5_error_code
 
typedef krb5_error_code
 
(*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx,
 
(*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx,
Line 160: Line 168:
 
/* AS exchange: Successful or unsuccessful attempt */
 
/* AS exchange: Successful or unsuccessful attempt */
 
krb5_error_code
 
krb5_error_code
kau_as_req(krb5_context context,
+
kau_as_req(krb5_context context, struct as_req_state *state, int status);
struct as_req_state *state, int status);
 
   
 
/* TGS exchange: Successful or unsuccessful attempt; alternative, u2u and cross-realm TGS */
 
/* TGS exchange: Successful or unsuccessful attempt; alternative, u2u and cross-realm TGS */
Line 174: Line 182:
 
krb5_error_code
 
krb5_error_code
 
kau_tgs_xrealm(krb5_context context, struct tgs_req_audit_state *state,
 
kau_tgs_xrealm(krb5_context context, struct tgs_req_audit_state *state,
krb5_principal xrealmtgt, int status);
+
char* xrealm, int status);
   
 
/* Session key generation and cleaning them up */
 
/* Session key generation and cleaning them up */
Line 191: Line 199:
   
 
/* Policy driven events - TBD */
 
/* Policy driven events - TBD */
krb5_error_code
+
krb5_error_code
kau_policy(krb5_context context, ... , krb5_error_code status);
+
kau_policy_as_req(krb5_context context, struct as_req_state *state,
  +
krb5_error_code status);
  +
krb5_error_code
  +
kau_policy_s4u2proxy_req(krb5_context context, struct tgs_req_audit_state *state,
  +
krb5_db_entry *st_client, krb5_error_code status);
  +
krb5_error_code
  +
kau_policy_tgs_req(krb5_context context, struct tgs_req_audit_state *state,
  +
krb5_ticket *header_ticket, krb5_error_code status);
   
 
/* Name of audit module */
 
/* Name of audit module */
 
krb5_error_code
 
krb5_error_code
 
kau_plugin_name(krb5_context context, char **name);
 
kau_plugin_name(krb5_context context, char **name);
  +
  +
struct tgs_req_audit_state {
  +
krb5_kdc_req *request;
  +
krb5_timestamp kdc_time;
  +
krb5_timestamp authtime;
  +
char *sname, *cname,*s4u_name, *u2ucname;
  +
krb5_principal altprinc;
  +
char *xrealm;
  +
const krb5_fulladdr *from;
  +
unsigned int c_flags, s_flags;
  +
const char *status; /* KDC status message */
  +
krb5_enctype useenctype;
  +
krb5_boolean tkt_renewed;
  +
krb5_boolean is_referral;
  +
};
  +
   
 
=== Configuration ===
 
=== Configuration ===
Line 205: Line 229:
 
;--with-audit-plugin=simple: (For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin.
 
;--with-audit-plugin=simple: (For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin.
   
  +
=== Ticket ID ===
   
  +
We need to introduce the concept of ticket ID (perhaps, session key hash) that would allow to associate events on multiple services with the original TGT.
  +
TODO.
 
 
== Test implementation ==
 
== Test implementation ==
   

Revision as of 12:03, 23 October 2012

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Purpose

The focus of this project will be on creating an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. The initial set of the audible events will be identified.

Requirements

The new audit system should be:

  • build-time enabled;
  • run-time pluggable;
  • simple, so it could be easily replaced with the OS specific implementations;
  • if possible, prepare i18n- and l10n-ready log messages.


Events

This section details the categories of the auditable events and the associated information.

Audit module loaded/unloaded
Startup and shutdown of the audit system must be recorded by audit system;
KDC started/stopped
KDC startup - KDC clockskew, list of realms and ports, location and names of the plugins, the values of allow_weak_crypto, kdc_req_sumtype, default_ap_req_sumtype and default_safe_sumtype from configuration files;
KDC stopped - no additional information;
AS exchange
kdc time timestamp,client's and server's flags and unparsed names, port number, ticket start, end and renew until times and flags, requested enckey types and used session enckey type, pre-auth type requested and used, KDC status message;
TGS exchange
TGS
Successful or unsuccessful attempt - kdc time and authtime timestamps, unparsed client, server, 2nd client and s4u names, port number, client's enckey types and flags, used session enckey type, is referral, is constrained delegation, is protocol transition, was ticket renewed, KDC status message;
Alternative TGS
Successful or unsuccessful attempt - kdc time and authtime timestamps, unparsed client, server and alternate server, KDC status message;
Cross-realm TGS
Successful or unsuccessful attempt - kdc time and authtime timestamps, unparsed client, server, cross-realm, KDC status message;
U2U TGS
Successful attempt - kdc time and authtime timestamps, unparsed client, server and second client, KDC status message
Session keys
AS and TGS exchange session key generation;
AS and TGS exchange session key cleaning;
Policy
Policies violation when processing requests - TBD;
AS request
TGS request
S4U2PROXY request


Design details

Pluggable interface

/* Audit plugin vtable */
typedef struct krb5_audit_vtable_st {
   /* Mandatory: name of module. */
   char *name;
   kau_open_fn  open;
   kau_close_fn  close;
   kau_kdc_start_fn  kdc_start;
   kau_kdc_stop_fn  kdc_stop;
   kau_as_req_fn  as_req;
   kau_tgs_fn  tgs;
   kau_tgs_alt_fn  tgs_alt;
   kau_tgs_u2u_fn  tgs_u2u;
   kau_tgs_xrealm_fn tgs_xrealm;
   kau_sesskey_as_generated_fn  sesskey_as_generated;
   kau_sesskey_as_cleared_fn    sesskey_as_cleared;
   kau_sesskey_tgs_generated_fn sesskey_tgs_generated;
   kau_sesskey_tgs_cleared_fn   sesskey_tgs_cleared;
   kau_policy_as_req_fn        policy_as_req;
   kau_policy_tgs_req_fn       policy_tgs_req;
   kau_policy_s4u2proxy_req_fn policy_s4u2proxy_req;
} *krb5_audit_vtable;

typedef krb5_error_code
(*kau_open_fn)(krb5_context context , kau_ctx *au_ctx);

typedef krb5_error_code
(*kau_close_fn)(krb5_context context, kau_ctx au_ctx);

typedef krb5_error_code
(*kau_kdc_start_fn)(krb5_context context, kau_ctx au_ctx,
                   krb5_deltat clockskew, const char *realm_port,
                   krb5_boolean allow_weak_crypto,
                   const char *plugins, const char *plugin_dir,
                   krb5_cksumtype kdc_req_sumtype,
                   krb5_cksumtype default_ap_req_sumtype,
                   krb5_cksumtype default_safe_sumtype, int status);

typedef krb5_error_code
(*kau_kdc_stop_fn)(krb5_context context, kau_ctx au_ctx, krb5_error_code  status);
 
typedef krb5_error_code
(*kau_as_req_fn)(krb5_context context, kau_ctx au_ctx,
                  krb5_timestamp kdc_time,  const char *kdc_status,
                  const char *cname, const char *sname,
                  krb5_flags c_flags, krb5_flags s_flags,
                  int req_patype, const int from_port,
                  const char *ktypes krb5_enctype sesskey_etype,
                  krb5_flags tkt_flags,
                  krb5_deltat tkt_start_time, krb5_deltat tkt_end_time, krb5_deltat tkt_renew_till,
                  const char *tkt_cname, const int tr_type, int rep_patype, int status);

typedef krb5_error_code
(*kau_tgs_fn)(krb5_context context, kau_ctx au_ctx,
              krb5_timestamp kdc_time, krb5_timestamp authtime, const char *status_msg,
              const char *cname, const char *sname,
              const char *altcname, const char *s4u_name,
              krb5_flags c_flags, krb5_flags s_flags,
              const int from_port, 
              const char * ktypes_buf, krb5_enctype session_key_etype,
              const int tkt_renewed,
              const int is_referral, const int is_constrained,
              const int is_transition, int status);

typedef krb5_error_code
(*kau_tgs_alt_fn)(krb5_context context, kau_ctx au_ctx,
                  krb5_timestamp kdc_time, krb5_timestamp authtime, const char *kdc_status,
                  const char *cname, const char *sname,
                  krb5_flags c_flags, krb5_flags s_flags,
                  const int from_port, const char *altsrv, int status);

typedef krb5_error_code
(*kau_tgs_u2u_fn)(krb5_context context, kau_ctx au_ctx,
                  krb5_timestamp kdc_time, krb5_timestamp authtime, const char *kdc_status,
                  const char *cname, const char *sname,
                  krb5_flags c_flags, krb5_flags s_flags,
                  const int from_port, const char *cl2, int status);

typedef krb5_error_code
(*kau_tgs_xrealm_fn)(krb5_context context, kau_ctx au_ctx,
                     krb5_timestamp kdc_time, krb5_timestamp authtime, const char *kdc_status,
                     const char *cname, const char *sname,
                     krb5_flags c_flags, krb5_flags s_flags,
                     const int from_port, const char *xrealm, int status);

typedef krb5_error_code
(*kau_sesskey_as_generated_fn)(krb5_context context, kau_ctx au_ctx,
                              krb5_timestamp kdc_time, const char *kdc_status,
                              const char *cname, const char *sname,
                              const int from_port, const char * ktypes,
                              krb5_enctype used_ktype, int status);

typedef krb5_error_code
(*kau_sesskey_as_cleared_fn)(krb5_context context, kau_ctx au_ctx,
                            krb5_timestamp kdc_time, const char *kdc_status,
                            const char *cname, const char *sname,
                            const int from_port, krb5_enctype used_ktype,int status);

typedef krb5_error_code
(*kau_sesskey_tgs_generated_fn)(krb5_context context, kau_ctx au_ctx,
                              krb5_timestamp kdc_time, const char *kdc_status,
                              const char *cname, const char *sname,
                              const int from_port,
                              const char *ktypes, krb5_enctype used_ktype, int status);

typedef krb5_error_code
(*kau_sesskey_tgs_cleared_fn)(krb5_context context, kau_ctx au_ctx,
                             krb5_timestamp kdc_time, const char *kdc_status,
                             const char *cname, const char *sname,
                             const int from_port, krb5_enctype used_ktype, int status);
                                                                       

API signatures

/* Audit plugin loaded/unloaded */
krb5_error_code 
load_audit_plugin(krb5_context context);
krb5_error_code 
unload_audit_plugin(krb5_context context);
/* KDC started /stopped */
krb5_error_code 
kau_kdc_start(krb5_context context, int status);
krb5_error_code 
kau_kdc_stop(krb5_context context, krb5_error_code status);
/* AS exchange: Successful or unsuccessful attempt */
krb5_error_code 
kau_as_req(krb5_context context, struct as_req_state *state, int status);
/* TGS exchange: Successful or unsuccessful attempt; alternative, u2u and cross-realm TGS */
krb5_error_code 
kau_tgs(krb5_context context,
        struct tgs_req_audit_state *state, int status);
krb5_error_code 
kau_tgs_alt(krb5_context context,
            struct tgs_req_audit_state *state, int status);
krb5_error_code
kau_tgs_u2u(krb5_context context, struct tgs_req_audit_state *state,
            krb5_principal cl2, int status);
krb5_error_code
kau_tgs_xrealm(krb5_context context, struct tgs_req_audit_state *state,
               char* xrealm, int status);
/* Session key generation and cleaning them up */
krb5_error_code 
kau_sesskey_as_generated(krb5_context context,
                         struct as_req_state *state, int status);
krb5_error_code 
kau_sesskey_as_cleared(krb5_context context,
                       struct as_req_state *state, int status);
krb5_error_code 
kau_sesskey_tgs_generated(krb5_context context,
                          struct tgs_req_audit_state *state,int status);
krb5_error_code 
kau_sesskey_tgs_cleared(krb5_context context,
                        struct tgs_req_audit_state *state, int status);
/* Policy driven events - TBD */
krb5_error_code
kau_policy_as_req(krb5_context context, struct as_req_state *state,
                 krb5_error_code status);
krb5_error_code
kau_policy_s4u2proxy_req(krb5_context context, struct tgs_req_audit_state *state,
                        krb5_db_entry *st_client, krb5_error_code status);
krb5_error_code
kau_policy_tgs_req(krb5_context context, struct tgs_req_audit_state *state,
                  krb5_ticket *header_ticket, krb5_error_code status);
/* Name of audit module */
krb5_error_code 
kau_plugin_name(krb5_context context, char **name);
struct tgs_req_audit_state {
   krb5_kdc_req *request;
   krb5_timestamp kdc_time;
   krb5_timestamp authtime;
   char *sname, *cname,*s4u_name, *u2ucname;
   krb5_principal altprinc;
   char  *xrealm;
   const krb5_fulladdr *from;
   unsigned int c_flags, s_flags;
   const char *status; /* KDC status message */
   krb5_enctype useenctype;
   krb5_boolean tkt_renewed;
   krb5_boolean is_referral;
};


Configuration

The following ./configure options are added:

--enable-audit[=yes/no]
Enable audit plugin. By default at build time audit is disabled.
--with-audit-plugin=simple
(For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin.

Ticket ID

We need to introduce the concept of ticket ID (perhaps, session key hash) that would allow to associate events on multiple services with the original TGT. TODO.

Test implementation

We will use libaudit module available on Fedora, Debian, Suse for the first round.

Some "simple" audit plugin will be implemented and Python test system will become aware of its existence. New ./configure --with-audit-plugin option will be introduced to build "simple" audit plugin for testing purpose. If audit is enabled and audit plugin is available, "make check" will store audit messages into audit log file.

References

  1. Common Criteria for Information Technology Security Evaluation http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf
  2. Oracle Solaris Auditing http://docs.oracle.com/cd/E19963-01/html/821-1456/auditov-1.html
  3. Understanding Linux Audit http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html
  4. Advanced Security Audit Policy Settings http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx
  5. Events Classification in Log Audit http://airccse.org/journal/nsa/0410ijnsa5.pdf