logo_kerberos.gif

Difference between revisions of "Projects/Audit"

From K5Wiki
Jump to: navigation, search
m
(Abandoning "hybrid")
Line 13: Line 13:
 
* build-time enabled;
 
* build-time enabled;
 
* run-time pluggable;
 
* run-time pluggable;
* simple, so it could be easily replaced with the OS specific implementations;
+
* simple and flexible, so it could be easily replaced with the OS specific and third-parties implementations;
   
   
 
== Events ==
 
== Events ==
   
This section details the categories of the auditable events and the associated information.
 
  +
(Common Criteria Class FIA)
   
===Audit module loaded/unloaded===
 
  +
This section details the categories of the auditable events and the associated data.
:: Startup and shutdown of the audit system must be recorded by audit system;
 
   
===KDC started/stopped===
 
  +
1. Startup and shutdown of the KDC must be recorded by audit system;
:: Startup and shutdown of the KDC must be recorded by audit system;
 
   
===Authentication===
 
  +
2. AS_REQ and TGS_REQ:
(Common Criteria Class FIA)
 
   
We anticipate that in some cases the multiple levels of details of the audit output will be needed. We suggest having two levels: Detailed and its subset, Basic.
 
  +
{| class="wikitable" style="border: 3px solid #59121e"
  +
|+
  +
|-
  +
! Phase
  +
! style="padding-left: 2em; padding-right: 2em;" | Data to be logged
  +
! AS_REQ
  +
! TGS_REQ
  +
|-
  +
|rowspan=3|Authenticate request content and client
  +
| client’s address and port || ✔ || ✔
  +
|-
  +
| original KDC request and [[#Request ID| request ID ]] || ✔ || ✔
  +
|-
  +
| primary [[#Ticket ID|ticket ID]] || ✗ ||(S4U:front-end server's) TGT
  +
|-
  +
|rowspan=3|Determine service principal
  +
| modified KDC request and [[#Request ID|request ID]] ||✔ || ✔
  +
|-
  +
| cross-realm referral || ✗ || service principal, TGS
  +
|-
  +
| user-to-user: client in the 2nd ticket || ✗ ||✔
  +
|-
  +
|rowspan=2|Validate policies
  +
| local policy violation ||✔ || ✔
  +
|-
  +
| protocol constraints ||✗ || S4U2Proxy, S4U2Self
  +
|-
  +
|rowspan=5|Issue ticket
  +
| ticket renewed ||✗ || ✔
  +
|-
  +
| ticket validated ||✗ || ✔
  +
|-
  +
| session key enctype (short-term) ||✔ || ✔
  +
|-
  +
| enctype of the service's long-term key||✗ || ✔
  +
|-
  +
| derived [[#Ticket ID|ticket ID]]|| TGT || service or referral TGT
  +
|-
  +
|rowspan=2|Encrypt reply
  +
| KDC reply ||✔ || ✔
  +
|-
  +
| Reply-encrypting key enctype (long-term) ||✔ || ✔
  +
|-
  +
|}
   
====AS exchange====
 
  +
Note, that audit plugin implementors will be able to extract the following auditable information:
=====Basic level=====
 
: TGT [[#Ticket ID|ticket ID]] (on success);
 
: [[#Request ID|request ID]];
 
: client’s address and port;
 
: enctype of session key;
 
: enctype of reply-encrypting key - client principal's key;
 
: KDC request:
 
:: requested service principal;
 
:: client’s principal;
 
=====Detailed level=====
 
: KDC status message (on failure);
 
: KDC request:
 
:: KDC options;
 
:: requested ticket start, end and renew_till times;
 
:: list of requested addresses;
 
:: requested enctypes;
 
:: preauth types (on failure);
 
: KDC reply:
 
:: TGT [[#Ticket details|ticket]] (on success);
 
:: preauth types (on failure).
 
   
====TGS exchange====
 
  +
KDC request:
=====Basic level=====
 
  +
: requested service principal;
: TGT [[#Ticket ID|ticket ID]] - primary ticket ID;
 
  +
: client’s principal;
: service or referral TGT [[#Ticket ID|ticket ID]] (on success) - derived ticket ID;
 
  +
: KDC options;
: [[#Request ID|request ID]];
 
  +
: requested ticket start, end and renew_till times;
: client’s address and port;
 
  +
: list of requested addresses;
: enctype of session key;
 
  +
: requested enctypes;
: enctype of long-term key of the service;
 
  +
: preauth types
: enctype of reply-encrypting key;
 
: was ticket renewed;
 
: was ticket validated;
 
: KDC request:
 
:: requested service principal;
 
:: client’s principal;
 
: KDC reply:
 
:: service [[#Ticket details|ticket]] (on success);;
 
=====Detailed level=====
 
: KDC status message (on failure);
 
: KDC request:
 
:: KDC options;
 
:: requested ticket start, end and renew_till times;
 
:: list of requested addresses;
 
:: requested enctypes;
 
: KDC reply:
 
:: preauth types (on failure);
 
:: referral TGT [[#Ticket details|ticket]] (on success).
 
   
====TGS Extensions====
 
  +
KDC reply:
=====S4U2self=====
 
  +
: preauth types;
: entry-point-server's TGT [[#Ticket ID|ticket ID]] - primary ticket ID;
 
  +
: TGT, referral TGT or service ticket with the following level of details:
: [[#Request ID|request ID]];
 
  +
::client and server principals;
:On error:
 
  +
::flags;
::user's pre-authentication data: name and realm or x509 certificate;
 
  +
::start, end and renew_till times;
::local or protocol policy problem (TBD: level of details);
 
  +
::authtime;
::KDC status message;
 
  +
::authentication path - encoded list of transited realms for service ticket or referral TGT (for TGS only);
:On success:
 
::end-service or referral TGT [[#Ticket ID|ticket ID]].
 
=====S4U2proxy=====
 
: entry-point-server's TGT [[#Ticket ID|ticket ID]] - primary ticket ID;
 
: [[#Request ID|request ID]];
 
: user's evidence [[#Ticket details|ticket]] - additional ticket in the request;
 
:On error:
 
::local or protocol policy problem (TBD: level of details);
 
::KDC status message;
 
:On success:
 
::end-service or referral TGT [[#Ticket ID|ticket ID]].
 
   
====Other events====
 
  +
(future development)
+
Other events to consider for the future development:
 
:Policy
 
:Policy
:: Policies violation when processing requests (AS, TGS, S4U etc);
+
::Policies violation - what went wrong and how to prevent it;
 
:Secrets (Common Criteria FCS_CKM.1, FCS_CKM.4);
 
:Secrets (Common Criteria FCS_CKM.1, FCS_CKM.4);
 
::long- and short-term keys creation, manipulation, cleaning.
 
::long- and short-term keys creation, manipulation, cleaning.
 
====Ticket details====
 
:client and server principals;
 
:flags;
 
:start, end and renew_till times;
 
:authtime;
 
:authentication path - encoded list of transited realms for service ticket or referral TGT (for TGS only);
 
 
 
 
== Design details ==
 
== Design details ==
   
Line 128: Line 110:
 
====Request ID====
 
====Request ID====
 
Request ID - hash of the request is recorded as part of audit messages. Using this piece of information an administrator can easily correlate multiple audit events related to a single request.
 
Request ID - hash of the request is recorded as part of audit messages. Using this piece of information an administrator can easily correlate multiple audit events related to a single request.
 
====Hybrid====
 
The proposal is a hybrid of variadic key-type-value triplet (KTV) and one-API-per-event approaches.
 
 
On the KDC side call audit event-specific functions, whose input consists of the event-id, event-status and event-specific structure. If event-specific callback is implemented by the audit plugin, strip the event-specific structure from the security sensitive information and then pass the pointer to the event-specific structure to the plugin. Otherwise, fallback to the generic function with variadic KTV arguments. In the latter case all non-string values should be converted into the strings and the key-types serve as a hint to the plugin implementor about the "original" type of the key-value.
 
   
 
=== KDC facing API ===
 
=== KDC facing API ===
Line 192: Line 169:
   
 
where new types server_handle_san, as_req_state_san and tgs_req_state_san are sanitized variants of server_handle, as_req_state and tgs_req_state structures respectively.
 
where new types server_handle_san, as_req_state_san and tgs_req_state_san are sanitized variants of server_handle, as_req_state and tgs_req_state structures respectively.
 
=== Example ===
 
 
krb5_error_code
 
kau_as_req(krb5_context context, struct as_req_state *state,
 
krb5_error_code status)
 
{
 
krb5_error_code rc = 0;
 
...
 
/* If audit plugin event-specific callback is implemented, call it */
 
if (hdl->vt.as_req) {
 
rc = hdl->vt.as_req(hdl->au_ctx, event_id, event_status, state);
 
return rc;
 
}
 
/* Otherwise, try the generic one. */
 
if (hdl->vt.generic)
 
rc = rec_as_req(hdl->au_ctx, event_id, event_status, state);
 
return rc;
 
}
 
 
static krb5_error_code
 
rec_as_req(krb5_context context, struct as_req_state_san *state,
 
krb5_error_code status)
 
{
 
krb5_error_code rc = 0;
 
...
 
/* All values with TYPE_NUM type-hint are string representations of
 
* their numeric conterparts in 'state' structure.
 
*/
 
hdl->vt.record(hdl->au_ctx, event_id, event_status,
 
"tkt_id", TYPE_NUM, tkt_id, // state->tkt_id
 
"kdc_status", TYPE_STR, state->status,
 
"full_address", TYPE_STR, state->full_address,
 
/* request */
 
"req.client", TYPE_STR, state->req_client,
 
"req.server", TYPE_STR, state->req_server,
 
"req.kdc_options", TYPE_STR, state->req_kdc_options,
 
"req.start", TYPE_NUM, req_from, // state->req_from
 
"req.end", TYPE_NUM, req_end, // state->req_end
 
"req.renew_till", TYPE_NUM, req_time, // state->req_rtime
 
/* reply */
 
"rep.tkt.server", TYPE_STR, state->rep_tkt_server,
 
"rep.tkt.flags", TYPE_NUM, rep_tkt_flags, // state->rep_tkt_flags
 
"rep.tkt.start", TYPE_NUM, rep_tarttime, // state->rep_tarttime
 
"rep.tkt.end", TYPE_NUM, rep_endtime, // pstate->rep_endtime,
 
"rep.tkt.renew_till", TYPE_NUM, rep_renew_till, // state->rep_renew_till
 
"rep.tkt.authtime", TYPE_NUM, rep_authtime, // state->rep_authtime,
 
"rep.tkt.key_etype", TYPE_NUM, rep_session_enctype, // state->rep_session_enctype
 
);
 
return rc;
 
}
 
   
   
Line 265: Line 191:
 
|-
 
|-
 
| kdc_status || style="padding-left: 2em "| TR|| KDC status (“ISSUE” on success)
 
| kdc_status || style="padding-left: 2em "| TR|| KDC status (“ISSUE” on success)
|-
 
| fromaddr || style="padding-left: 2em "| STR|| client’s address
 
|-
 
|fromport || style="padding-left: 2em "| NUM || client’s port
 
 
|-
 
|-
 
| full_address || style="padding-left: 2em "| STR || Alternative to "fromport"/"fromaddr"
 
| full_address || style="padding-left: 2em "| STR || Alternative to "fromport"/"fromaddr"
Line 352: Line 274:
 
# Make reporting auditable events configurable. For example, one can choose to report TGS_REQ, but not AS_REQ etc;
 
# Make reporting auditable events configurable. For example, one can choose to report TGS_REQ, but not AS_REQ etc;
 
# Define and make configurable the DETAILED and BASIC levels of the events;
 
# Define and make configurable the DETAILED and BASIC levels of the events;
  +
# Sanitize KDC request and reply before passing them to audit implementation: security sensitive information should not leave KDC boundaries;
 
# Develop Audit system for Preauth and Authdata mechanisms.
 
# Develop Audit system for Preauth and Authdata mechanisms.
   

Revision as of 18:50, 25 July 2013

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Purpose

Create an Audit infrastructure within MIT Kerberos to monitor security related events on the KDC. In future expand Kerberos Audit facility to the application servers, kadmin if it remains desirable.


Requirements

The new audit system should be:

  • build-time enabled;
  • run-time pluggable;
  • simple and flexible, so it could be easily replaced with the OS specific and third-parties implementations;


Events

(Common Criteria Class FIA)

This section details the categories of the auditable events and the associated data.

1. Startup and shutdown of the KDC must be recorded by audit system;

2. AS_REQ and TGS_REQ:

Phase Data to be logged AS_REQ TGS_REQ
Authenticate request content and client client’s address and port
original KDC request and request ID
primary ticket ID (S4U:front-end server's) TGT
Determine service principal modified KDC request and request ID
cross-realm referral service principal, TGS
user-to-user: client in the 2nd ticket
Validate policies local policy violation
protocol constraints S4U2Proxy, S4U2Self
Issue ticket ticket renewed
ticket validated
session key enctype (short-term)
enctype of the service's long-term key
derived ticket ID TGT service or referral TGT
Encrypt reply KDC reply
Reply-encrypting key enctype (long-term)

Note, that audit plugin implementors will be able to extract the following auditable information:

KDC request:

requested service principal;
client’s principal;
KDC options;
requested ticket start, end and renew_till times;
list of requested addresses;
requested enctypes;
preauth types

KDC reply:

preauth types;
TGT, referral TGT or service ticket with the following level of details:
client and server principals;
flags;
start, end and renew_till times;
authtime;
authentication path - encoded list of transited realms for service ticket or referral TGT (for TGS only);


Other events to consider for the future development:

Policy
Policies violation - what went wrong and how to prevent it;
Secrets (Common Criteria FCS_CKM.1, FCS_CKM.4);
long- and short-term keys creation, manipulation, cleaning.

Design details

The following are highlights of this new feature:

Ticket ID

Ticket ID is recorded as part of audit messages. This allows to link tickets to their initial TGT at any stage of the Kerberos exchange.

For the purpose of this project we will create a private to KDC ticket ID: each successfully created ticket will be hashed and recorded into audit log. The administrators will correlate the primary and derived ticket IDs after the fact.

For the future, however, we need a more complex system that would allow to tie the tickets from a successful AS_REQ all the way to the application server. It is marked as an action item in this section.

Request ID

Request ID - hash of the request is recorded as part of audit messages. Using this piece of information an administrator can easily correlate multiple audit events related to a single request.

KDC facing API

/* Audit plugin loaded/unloaded */
krb5_error_code 
load_audit_plugin(krb5_context context);
krb5_error_code 
unload_audit_plugin(krb5_context context);
/* event specific functions */
krb5_error_code 
kau_kdc_start(krb5_context context, struct server_handle shdl, int status);
krb5_error_code 
kau_kdc_stop(krb5_context context, krb5_error_code status);
krb5_error_code 
kau_as_req(krb5_context context, struct as_req_state *state, int status);
krb5_error_code 
kau_tgs(krb5_context context, struct tgs_req_audit_state *state, int status);

Pluggable interface

/* Audit plugin vtable */
typedef struct krb5_audit_vtable_st {
   /* Mandatory: name of module. */
   char             *name;
   kau_open_fn       open;
   kau_close_fn      close;
   kau_generic_fn    generic;
   kau_kdc_start_fn  kdc_start;
   kau_kdc_stop_fn   kdc_stop;
   kau_as_req_fn     as_req;
   kau_tgs_req_fn    tgs_req;
} *krb5_audit_vtable;

typedef krb5_error_code
(*kau_open_fn)(kau_ctx *au_ctx);

typedef krb5_error_code
(*kau_close_fn)(kau_ctx au_ctx);

/* general purpose interface to pass unspecified number of 
 *  key-type-value triplets to a plugable interface.
 */
typedef krb5_error_code
(*kau_generic_fn)(kau_ctx au_ctx, const int event_id, const int status, ... );

/* one-API-per-event surrogate */
typedef krb5_error_code
(*kau_kdc_start_fn)(kau_ctx au_ctx, const int event_id, const int status,
                    struct server_handle_san shdl);
typedef krb5_error_code
(*kau_kdc_stop_fn)(kau_ctx au_ctx, const int event_id, const int status);
typedef krb5_error_code
(*kau_as_req_fn)(kau_ctx au_ctx, const int event_id, const int status,
                 struct as_req_state_san *state);
typedef krb5_error_code
(*kau_tgs_fn)(kau_ctx au_ctx, const int event_id, const int status,
              struct tgs_req_state_san *state);

where new types server_handle_san, as_req_state_san and tgs_req_state_san are sanitized variants of server_handle, as_req_state and tgs_req_state structures respectively.


Dictionary

The possible basic field names are:

Key Type Comments
tkt_id_in STR primary (TGT) ticket ID
tkt_id_out STR derived (service or referral TGT) ticket ID
client STR client’s principal
service STR requested service principal
kdc_status TR KDC status (“ISSUE” on success)
full_address STR Alternative to "fromport"/"fromaddr"
sess_etype NUM enctype of session key
rep_etype NUM enctype of reply-encrypting key
srv_etype NUM enctype of long-term key of the service key
tkt_renewed BOOL was ticket renewed
tkt_validated BOOL was ticket validated
req.addresses STR requested addresses
req.avail_etypes STR requested/available enc types
req.kdc_options NUM KDC options (forwardable, allow_postdate etc)
req.pa_type STR preauth types
req.tkt_start NUM requested ticket start time
req.tkt_end NUM requested ticket end time
req.tkt_renew_till NUM requested ticket renew-till time
req.tkt_authtime NUM requested ticket authtime
req.sectkt_cname STR client principal in the second ticket (U2U etc)
req.sectkt_sname STR service principal in the second ticket
req.sectkt_flags NUM second ticket flags
req.sectkt_start NUM second ticket start time
req.sectkt_end NUM second ticket end time
req.sectkt_authtime NUM second ticket authtime
req.sectkt_etype NUM second ticket key type
req.sname STR requested service principal
req.cname STR client's principal
rep.sname STR service principal in ticket
rep.cname STR client principal in ticket
rep.pa_type STR reply preauth types
rep.rep_flags NUM ticket flags
rep.rep_authtime NUM ticket authtime
rep.tkt_start NUM ticket start time
rep.tkt_end NUM ticket end time
rep.tkt_renew_till NUM ticket renewed-till time
rep.tr_contents STR ticket transited-realms list



Configuration

The following ./configure option to be added:

--with-audit-plugin=simple
(For demo and testing purposes) Build the audit plugin "simple" and enable audit plugin.


Future work

  1. Standardize a Ticket_ID;
  2. Make reporting auditable events configurable. For example, one can choose to report TGS_REQ, but not AS_REQ etc;
  3. Define and make configurable the DETAILED and BASIC levels of the events;
  4. Sanitize KDC request and reply before passing them to audit implementation: security sensitive information should not leave KDC boundaries;
  5. Develop Audit system for Preauth and Authdata mechanisms.

Test implementation

We will use libaudit module available on Fedora, Debian, Suse for the first round.

Some "simple" audit plugin will be implemented and Python test system will become aware of its existence. New ./configure --with-audit-plugin option will be introduced to build "simple" audit plugin for testing purpose. If audit is enabled and audit plugin is available, "make check" will store audit messages into audit log file.

References

  1. Common Criteria for Information Technology Security Evaluation http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf
  2. Oracle Solaris Auditing http://docs.oracle.com/cd/E19963-01/html/821-1456/auditov-1.html
  3. Understanding Linux Audit http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html
  4. Advanced Security Audit Policy Settings http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx
  5. Events Classification in Log Audit http://airccse.org/journal/nsa/0410ijnsa5.pdf
  6. CEE Log Syntax (CLS) Encoding http://cee.mitre.org/language/1.0-beta1/cls.html