Audit and IDS

Steve Grubb, Red Hat

Linux Audit and Intrusion Detection
Systems
● Review audit system
● Learn a little about some threats
● Overview of IDMEF
● Introduction to prelude
Audit System's Uses
● Watch file accesses
● Monitor system calls
● Record commands run by user
● Record security events
● Search for events
● Run summary reports
Audit Requirements
Shall be able to record at least the following:
● Date and time of event, type of event, subject identity, and

outcome
● Sensitivity labels of subjects and objects

● Be able to associate event with identity of user causing it

● All modifications to audit configuration and attempted

access to logs
● All uses of authentication mechanisms

● Changes to any trusted database

● Attempts to import/export information

● Be able to include/exclude events based on user identity,

subject/object labels, other attributes

Syscall Audit Rules
Follows the general form:
-a filter,action -S syscall -F field=value -k “rule-note”

Example to see opens by users that failed due to permission:

-a exit,always -S open -F exit=-EACCES -F auid>=500 -F auid!=4294967295

-F can be one of: a0, a1, a2, a3, arch, auid, devmajor, dir, devminor, exit,
user/group ids, filetype, inode, msgtype, object/subject context parts,
path, perms, pid, ppid, or success.

“and” created by adding more “-F” name/value pairs. An “or” is created by

adding a new rule.

Results are evaluated by the filter to decide if event is auditable

File System Audit Rules
File system audit rules take the general form of:
-w /full/path-to-file -p wrxa -k “rule note”

Can also be expressed as syscall audit rule:

-a exit,always -F path=/full/path-to-file -F perm=wrxa -k “rule note”

The perm field selects the syscalls that are involved in file
writing, reading, execution, or attribute change.
Trusted Apps
● All entry point programs must set loginuid
● Apps that modify trusted databases were updated to send
audit event records:
● amtu, aide

● at, vixie-cron

● coreutils

● dbus, glibc (nscd)

● gdm, kdm, xdm.

● openssh, pam, util-linux, vsftpd

● passwd, shadow

● nss
Pam IDS updates
pam_tally2
● Locks out an account for consecutive failed login attempts
● Sends ANOM_LOGIN_FAILURES
pam_access
● Used to forbid logins from certain locations, consoles, and accounts
● /etc/security/access.conf controls its config
● Sends ANOM_LOGIN_ACCT and ANOM_LOGIN_LOCATION
pam_time
● Used to forbid logins during non-business hours
● /etc/security/time.conf controls its config
● Sends ANOM_LOGIN_TIME
pam_limits
● Used to limit maximum concurrent sessions and other user restrictions
● /etc/security/limits.conf controls its config
● Sends ANOM_LOGIN_SESSIONS
ausearch results
type=PATH msg=audit(06/06/2008 14:15:19.373:3588) : item=1
name=/tmp/svck4.tmp/svd8l.tmp inode=168834 dev=08:07 mode=file,600
ouid=sgrubb ogid=sgrubb rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0
type=PATH msg=audit(06/06/2008 14:15:19.373:3588) : item=0
name=/tmp/svck4.tmp/ inode=168794 dev=08:07 mode=dir,775
ouid=sgrubb ogid=sgrubb rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0
type=CWD msg=audit(06/06/2008 14:15:19.373:3588) : cwd=/home/sgrubb
type=SYSCALL msg=audit(06/06/2008 14:15:19.373:3588) : arch=x86_64
syscall=unlink success=yes exit=0 a0=7fff66ec9340 a1=7fff66ec92a0
a2=14 a3=3e831eadc0 items=2 ppid=4030 pid=4041 auid=sgrubb
uid=sgrubb gid=sgrubb euid=sgrubb suid=sgrubb fsuid=sgrubb
egid=sgrubb sgid=sgrubb fsgid=sgrubb tty=(none) ses=1
comm=simpress.bin exe=/usr/lib64/openoffice.org/program/simpress.bin
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=delete
aureport results
Summary Report
======================
Range of time in logs: 05/27/2008 09:28:34.600 - 06/07/2008 09:31:58.719
Selected time for report: 06/06/2008 00:00:00 - 06/07/2008 09:31:58.719
Number of changes in configuration: 113
Number of changes to accounts, groups, or roles: 0
Number of logins: 4
Number of failed logins: 0
Number of authentications: 17
Number of failed authentications: 0
Number of users: 2
Number of terminals: 13
Number of host names: 4
Number of executables: 115
Number of files: 41551
Number of AVC's: 10
Number of MAC events: 8
Number of failed syscalls: 1284
Number of anomaly events: 3
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 4
Number of process IDs: 1006
Number of events: 44470
aureport --file
File Summary Report
===========================
total file
===========================
776 /usr/bin/
763 /usr/lib64/
690 /var/lib/PackageKit/
690 /var/lib/PackageKit/transactions.db-journal
670 /usr/include/linux/
366 /usr/share/mimelnk/application/
254 /usr/share/apps/katepart/syntax/
248 /usr/share/doc/HTML/en/kdelibs-apidocs/kio/bookmarks/html/
182 /dev/.udev/queue/
166 /var/run/hald/
166 /var/run/hald/acl-list
140 /usr/share/services/
108 /lib/modules/2.6.25.4-30.fc9.x86_64/kernel/drivers/ata/
41 /var/run/ConsoleKit/database~
 Audit System Data Flow

Setroubleshoot
Kernel

Remote Logging

Audit Daemon Event Dispatcher IDS/IPS

audisp-prelude
● Audispd plugin that reads audit stream
● Identifies suspicious events
● Sends most interesting ones to prelude-manager
● Has 15 different configurable detections
● Has a test mode so that it can be checked
● Takes input from stdin

● Must be raw log format (ausearch –raw > ./test.log)

● /sbin/audisp-prelude –test < ./audit-test.log | less

Audisp-prelude Detections
Controlled by /etc/audispd/audisp-prelude.conf
detect_avc – SE Linux AVCS
detect_logins – detects any login
detect_login_fail_max – detects output from pam_tally2
detect_login_session_max – detects output from pam_limits
detect_login_location – detects output from pam_access
detect_login_time – detects output from pam_time
detect_abend – detects any abnormal terminations: segv, abort
detect_promiscuous – detects opening of promiscuous socket
detect_mac_status – detects changes in SE LINUX configuration
detect_group_auth – detects failures in group password auth
detect_watched_acct – detects any login for account being watched
detect_watched_file – detects access to file being watched
detect_watched_exec – detects execution of specific programs
detect_watched_mk_exe – detects the creation of executables
SE Linux records a program's behavioral model

httpd passwd login

Watched File, exec, mk_exe
● Requires special audit rules
● -k ids-type-severity

● Ids gets the attention of key processor

● Type - file, exec, or mkexe

● Severity - info, low, med, or hi

-a exit,always -F path=/full-path/file -F perm=wa -k ids-file-med

-a exit,always -F path=/full-path/file -F perm=x -k ids-exec-med
-a exit,always -S chmod -F dir=/home -F a1&0111 -F filetype=file -k ids-mkexe-hi
What to do with this info?

● Audit system is now an active component

● Have the ability to pick out events
● Hard to watch all machines
● Many events overwhelm people because hard to pick out
what's important

● The key is central collection, escalation, and correlation

IDMEF

● Intrusion Detection Message Exchange Format

● Governed by IETF RFC 4765
● Describes XML format
● What parameters are available

● How to represent values

● Network protocol

● Normalizes events so programs from different vendors,

OS, and devices can in theory interoperate
● libprelude.so provides a complete and mature IDMEF
library
Prelude
● Full featured Hybrid-IDS
● Has many sensors
● Has event aggregation
● Correlate many events
● Can alert in realtime
● Event notification pop-
ups
Hybrid IDS
● Host Based IDS not very prone to false positives
● Event either happened or it didn't

● You have full context of what the event means

● Network Based IDS can generate false positives

● New protocols can look like attack

● Can only report what it sees

● Might not be able to decrypt some traffic

● Limited context about what really happening

● Hybrid Mixes the two

Prelude Architecture
 Prelude Sensors
● Audit ● LML
● Snortd ● Pam
● Samhain
● Apache
● Syslog
● OSSEC ● Arpwatch
● Nepenthes ● Cisco equipment
● NuFW ● Asterisk
● Clamav
● Nagios
● Portsentry
● Postfix
● Sonicwall
● Spamassassin
● webmin
Libprelude communication
● Sensor must be registered to its manager
● Communication is encrypted
● Failover capability when cannot contact manager
● Relay events from manager to manager
● Reverse relay to keep DMZ secure
Visualize Alerts - Prewikka
● Apache based cgi-bin
● Has database of recent alerts
● Allows multiple users with different permissions
● Sort/select alerts by type, host, target, severity, sensor,
and many more ways at the top of the columns.
Future Directions
● Add Brouette
● Offers real-time alerts via libnotify

● Add mod_security2 log format parsing for LML

● This is the biggest hole in HIDS capability now

● Add more sensors

● Rogue DHCP detection

● Integrate passive asset detection

● Add more detections for auditd sensor

● Changing uid

● Account changes

● Test Failures (amtu, aide, RBAC, sectool)

● Crypto failures
Future Directions
Correlation when Engine is ready
● Provide framework for higher level analysis

● Reconstruct sequence of events

● Detect Targets, Protocols, Tools, etc

● Adapt Severity Rating

● Allow filtering to suppress false positive

● Improve accuracy by scoring alerts

● Reactive Countermeasure

Visualization tools
● PIG – Prelude IDMEF Grapher
Nessus Scan
Future Directions
There are weaknesses in the IDMEF spec
● Seems to have been designed from snort's PoV

● No way to express some HIDS concepts

● Roles are not in spec

● No concept of sensitivity

● In the case of promiscuous socket target is network

● Not allowed to say results were indeterminate

● Data Source Identifier should be in spec

● Can't say source of attack is a service or program

● Access of shadow -is maore than just a FILE attack,

its an attack on the credentials

Seems like a new spec is in order to fix these deficiencies
Questions ?

HOWTO
http://people.redhat.com/sgrubb/audit/prelude.txt

Audit Info
http://people.redhat.com/sgrubb/audit

Mail
[email protected]