Slide 1What is Auditing?Auditing goals/usesProblemsAudit System StructureLoggerExample: RACFExample: Windows NTWindows NT Sample EntryAnalyzerNotifierExamplesDesigning an Audit SystemExample: Bell-LaPadulaRemove TranquilityExample: Chinese WallRecordingImplementation IssuesSyntactic IssuesExample GrammarMore Syntactic IssuesLog SanitizationLogging OrganizationReconstructionIssueExampleGeneration of PseudonymsApplication LoggingSystem LoggingContrastDesignDetect Violations of Known PolicyState-Based AuditingSlide 34Transition-Based AuditingSlide 36Detect Known Violations of PolicySlide 383-Way Handshake and LandDetectionSlide 41What is Formal Evaluation?Formal Evaluation: Why?TCSEC: The OriginalTCSEC Class AssurancesTCSEC Class Assurances (continued)How is Evaluation Done?TCSEC: Evaluation PhaseTCSEC: ProblemsLater StandardsITSEC: LevelsITSEC Problems:Slide 53Common Criteria: OriginCC Evaluation 1: Protection ProfileCC Evaluation 2: Security TargetCommon Criteria: Functional RequirementsClass Example: CommunicationClass Example: PrivacyCommon Criteria: Assurance RequirementsCommon Criteria: Evaluation Assurance LevelsCommon Criteria: Evaluation ProcessCommon Criteria: StatusIS2150/TEL2810: Introduction of Computer Security 1AuditingAuditingEvaluationEvaluationLecture 12Lecture 12Nov 29, 2005Nov 29, 20052IS2150/TEL2810: Introduction of Computer SecurityWhat is Auditing?What is Auditing?LoggingLoggingRecording events or statistics to provide information about system use and performanceAuditingAuditingAnalysis of log records to present information about the system in a clear, understandable manner3IS2150/TEL2810: Introduction of Computer SecurityAuditing goals/usesAuditing goals/usesUser accountabilityUser accountabilityDamage assessmentDamage assessmentDetermine causes of security violationsDetermine causes of security violationsDescribe security state for monitoring critical Describe security state for monitoring critical problemsproblemsDetermine if system enters unauthorized stateEvaluate effectiveness of protection Evaluate effectiveness of protection mechanismsmechanismsDetermine which mechanisms are appropriate and workingDeter attacks because of presence of record4IS2150/TEL2810: Introduction of Computer SecurityProblemsProblemsWhat to log?What to log?looking for violations of a policy, so record at least what will show such violationsUse of privilegesWhat do you audit?What do you audit?Need not audit everythingKey: what is the policy involved?5IS2150/TEL2810: Introduction of Computer SecurityAudit System StructureAudit System StructureLoggerLoggerRecords information, usually controlled by parametersAnalyzerAnalyzerAnalyzes logged information looking for somethingNotifierNotifierReports results of analysis6IS2150/TEL2810: Introduction of Computer SecurityLoggerLoggerType, quantity of information recorded Type, quantity of information recorded controlled by system or program controlled by system or program configuration parametersconfiguration parametersMay be human readable or notMay be human readable or notIf not, usually viewing tools suppliedSpace available, portability influence storage format7IS2150/TEL2810: Introduction of Computer SecurityExample: RACFExample: RACFSecurity enhancement package for IBM’s Security enhancement package for IBM’s MVS/VMMVS/VMLogs failed access attempts, use of Logs failed access attempts, use of privilege to change security levels, and (if privilege to change security levels, and (if desired) RACF interactionsdesired) RACF interactionsView events with LISTUSERS commandsView events with LISTUSERS commands8IS2150/TEL2810: Introduction of Computer SecurityExample: Windows NTExample: Windows NTDifferent logs for different types of eventsDifferent logs for different types of eventsSystem event logs record system crashes, component failures, and other system eventsApplication event logs record events that applications request be recordedSecurity event log records security-critical events such as logging in and out, system file accesses, and other eventsLogs are binary; use Logs are binary; use event viewerevent viewer to see them to see themIf log full, can have system shut down, logging disabled, If log full, can have system shut down, logging disabled, or logs overwrittenor logs overwritten9IS2150/TEL2810: Introduction of Computer SecurityWindows NT Sample EntryWindows NT Sample EntryDate:Date:2/12/20002/12/2000Source:Source:SecuritySecurityTime:Time:13:0313:03Category:Category:Detailed TrackingDetailed TrackingType:Type:SuccessSuccessEventID:EventID:592592User:User:WINDSOR\AdministratorWINDSOR\AdministratorComputer:Computer:WINDSORWINDSORDescription:Description:A new process has been created:A new process has been created:New Process ID:New Process ID:22165945922216594592Image File Name:Image File Name: \Program Files\Internet Explorer\IEXPLORE.EXE\Program Files\Internet Explorer\IEXPLORE.EXECreator Process ID:Creator Process ID:22179184962217918496User Name:User Name:AdministratorAdministratorFDomain:FDomain:WINDSORWINDSORLogon ID:Logon ID:(0x0,0x14B4c4)(0x0,0x14B4c4)[would be in graphical format][would be in graphical format]10IS2150/TEL2810: Introduction of Computer SecurityAnalyzerAnalyzerAnalyzes one or more logsAnalyzes one or more logsLogs may come from multiple systems, or a single systemMay lead to changes in loggingMay lead to a report of an eventUsing swatch to find instances of telnet from tcpd logs:/telnet/&!/localhost/&!/*.site.com/Query set overlap control in databasesIf too much overlap between current query and past queries, do not answerIntrusion detection analysis engine (director)Takes data from sensors and determines if an intrusion is occurring11IS2150/TEL2810: Introduction of Computer SecurityNotifierNotifierInforms analyst, other entities of results of Informs analyst, other entities of results of analysisanalysisMay reconfigure logging and/or analysis May reconfigure logging and/or analysis on basis of resultson basis of resultsMay take some actionMay take some action12IS2150/TEL2810: Introduction of Computer SecurityExamplesExamplesUsing Using swatchswatch to notify of to notify of telnettelnetss/telnet/&!/localhost/&!/*.site.com/mail stafQuery set overlap control in databasesQuery set overlap control in databasesPrevents response from being given if too
View Full Document