AUDIT FAQ ~~~~~~~~~ 1 What are audit and auditd ? 2.1 What are audit modules ? 2.2 What are the authentication modules ? 2.2.1 What is the RAW authentication module ? 2.2.2 What is the SRP authentication module ? 2.3 What are IA (information accessing) modules ? 2.3.1 What is the SYSLOG IA module ? 2.3 What are ATTRIBUTE modules ? 2.3.1 What is CLASSIC attribute module ? 2.3.2 What is PEO attribute module ? 2.3.3 What is MYSQL attribute module ? 2.3.4 What is PGSQL attribute module ? 2.3.5 What is REGEX attribute module ? 2.3.6 What is TCP attribute module ? 2.4 What are resources modules ? 2.4.1 What is LOCAL resource module ? 3 Can I use audit and modular syslog together ? 3.1 Can I use audit to automatically retrieve logfiles from remote machines ? 3.2 Can I use audit to check the integrity of logfiles ? 3.3 Can I change the current msyslog-peo key using audit ? 3.4 Can I change the current [m]syslog configuration file using audit ? 3.5 Can I use audit to audit logs centralized on a remote secure machine ? 1 What are audit and auditd ? Audit client and auditd server are two programs that allow together remote systems logs auditing; the auditor uses the client to connect to the remote host where the server is listening; once logged in, he can execute a set of commands for administrative tasks or logs-auditing related work. For administration purposes, there exists two kinds of commands: o User administration commands: o Create o Remove o Resources administration commands: o Set o Remove o Find User administration commands allows managers to create new users (auditors) or remove existing ones. Resources administration commands allows managers to create, modify, remove, and examine each user permissions (an other status values). There exists other six commands for auditing purposes: o List o Info o Get o Zap o Rotate o Sign they are called "Information Accessing commands". List command shows a list of available logfiles (it doestn't means that the auditor is able to examine their contents). Info command retrieve information about a specified logfile. Get command retrieve both information and logs data from a specified logfile. Zap command trucantes a specified logfile; this command only erases those logs that has been downloaded using the Get command. In the case of logfiles placed on disk files, the Rotate command compress (using gzip) a specified logfile; this command only compresses those logs that has been downloaded using the Get command. Sign command is used by auditors to sign those logs that has been audited (it is not implemented yet). The client/server session can be encrypted. 2.1 What are audit modules ? The audit system has a modular architecture, several custom authentication, information accessing, and resources modules can be used; they are implemented as shared libraries. 2.2 What are the authentication modules ? When a connection between a client and the server is established, the client should log in using any authentication method. The login process is controlled by the authentication module. This module is the responsible to enable the compression/encryption of subsequent data transfers. 2.2.1 What is the RAW authentication module ? The raw authentication module uses the native login method on the host where the server is running. The user should have a valid account into that server operating system, and should belongs to the ``audit'' group. Unfortunatelly this module does not compress nor encrypt any data transfers between both parties, allowing an eavesdropper to steal user password and logs, she will be able to impersonate the auditor's identity. 2.2.2 What is the SRP authentication module ? The srp (secure remote password protocol) authentication module is the implmentation of a password authentication and key-exchange protocol proposed by Thomas Wu at the Standford University . The SRP homepage is at http://www-cs-students.stanford.edu/~tjw/srp/. Both sides (client and server) are mutually authenticated, then, all data transfer between both parties are compressed and encrypted using blowfish-cbc and the exchagned key. The current SRP implmementation does not follows the RFC2945. An SRPPass resource should be created on the remote host ``by hand'' to be able to use this module for a first time. The contents for this resource is the output of the srpp.c program located under the src/modules/auth/srp directory on the source code distribution of audit. If you are not able to access or compile this program, the following can be used as a first login password: [ SRPPass ] \85\2F\7A\2E\2A\40\AF\AC\24\FE\03\1D\40\85\AD\EA \EE\2A\08\8A\BC\0E\7E\14\F2\B4\11\9C\1D\6A\2E\91 \DC\3D\F2\A6\87\A6\4A\D6\62\2F\EB\0C\89\DA\23\A5 \A3\55\BC\36\3F\11\86\39\C3\6F\09\85\FC\2D\2F\AA \E7\AF\50\1B\EB\14\F0\EF\01\ED\31\95\E3\70\D1\AE \B6\10\F3\62\86\AA\61\AF\09\B4\30\80\B8\70\01\4A \D7\D6\E1\CA\20\A1\C8\2F\95\0B\0F\F4\4D\55\19\55 \00\E9\CB\0C\39\9F\80\9A\29\3D\03\00\5C\CE\DD\B9 \36\37\93\87\9D\A2\22\1C\3C\23\38\5C\56\D4\52\6B \9D\EA\23\65\7C\84\41\46\40\B5\59\D9\C9\3D\03\80 \68\B5\79\CC\CC\99\5C\4E\73\AA\BD\1B\FF\23\85\AD \DA\26\CD\AC\29\68\C6\C8\30\A2\AD\5E\EC\B1\89\47 \F3\84\8B\F0\42\33\01\2B\51\F3\AD\CB\6A\A4\D5\0C \D9\8C\1D\B8\D3\0A\3C\78\AC\3A\8F\F9\E8\87\DB\8B \A7\53\B1\E0\A1\D0\CA\55\A6\7D\F0\E5\E2\DC\B8\CA \47\C3\80\75\9B\75\EE\67\D0\0C\36\1F\70\D0\6D\51 \80\EC\D9\23\D7\62\25\50\A7\82\70\27\E4\FC\EB\0E \75\C4\E5\CF\BE\59\84\1F\FF\DE\F4\5A\8A\59\9F\9C \B8\2E\51\8C\42\BC\48\9C\97\BD\F2\F7\E0\EE\34\E2 \35\06\43\DF\B5\8F\07\75\BA\51\79\46\87\B3\03\B6 \32\98\F1\99\84\17\58\CF\7E\03\A8\71\84\ED\B7\0B \0A\33\BB\CD\FC\B9\08\0C\98\00\03\8B\76\20\C9\70 \32\7A\46\84\26\3E\80\00\51\22\84\E0\B4\FA\D8\6C \FC\92\28\12\CA\03\AA\80\17\44\79\CB\BD\FE\81\35 \57\DD\6C\D6\8C\48\42\C1\AD\CB\8A\85\54\0D\CD\45 \8A\B7\8B\57\8A\EF\83\3F\85\1A\A3\1C\09\0B\D2\17 \BA\BE\B7\51\A5\5A\1D\FB\5C\3D\E8\C6\05\40\1E\F3 \E4\F0\0C\F0\BF\46\24\85\B8\FC\53\E9\F7\FB\4C\AF \EA\5C\2C\54\47\E0\F4\C2\9F\FC\80\9F\B0\E3\CB\7A \32\C1\6C\DA\C8\4D\35\9D\2B\C6\72\C5\70\0F\70\40 \8B\80\5E\13\4F\05\C1\82\D1\6D\60\60\B8\1B\B3\51 \0C\A6\77\BB\8C\82\E5\E5\CE\48\79\EB\C7\F5\B2\D3 With the above, the srp login password is: "change_this_password_now". 2.3 What are IA (information accessing) modules ? The IA (information accessing) modules allows the 'access to' and 'working on' different sets of logfiles. There exists two types of IA modules: o IA modules (the name is due to historical reasons) o Attribute modules In the following lines, when we refer to the IA module we are talking about the first type, otherwise the attribute word is used. The IA module interacts with the entity that generates a given set of logs (examples of those entities are syslogd, httpd, nt event logger, etc) The first thing an auditor should do is to specify the type of logs that he wants to audit (if going to audit apache logfiles, then any APACHE IA module should be specified before being executing any IA command -list, info, get, zap, rotate, sign-). The IA module creates a list of all logfiles generated by the entity (Ex.: in the case of syslog this is done by parsing its configuration file). When an auditor executes the ``list'' command, he will see only those logs he is able to see and not the complete list. If this command is executed before specifing any IA module, a list of them is printed instead. The Attribute IA modules characterize each logfile itself and there can exists more than one attribute per logfile. Examples: o If using modular syslog logging to a postgresql database, then the PGSQL attribute module is associated to that logfile. o If using modular syslog logging to a logfile on disk and applying the PEO protocol, http://www.corest.com/pressroom/ \ advisories_desplegado.php?idxsection=11&idx=85, then two attributes, CLASSIC and PEO will characterize that logfile, the first one is associated to the logs, and the second one to the PEO (and PEO-L) status. From the sever's point of view, a logfile is nothing else than a list of attributes. The ``info'' inforamtion accessing command shows information created by each attribute module. 2.3.1 What is CLASSIC attribute module ? Is the attribute associated to standard syslog logfiles. 2.3.2 What is PEO attribute module ? Is the attribute associated to modular syslog v1.xx logfiles where the PEO protocol is used to ensure the logs integrity. Refer to the PEO paper for more information about that protocol: http://www.corest.com/pressroom/advisories_desplegado.php?idxsection=11&idx=85 2.3.3 What is MYSQL attribute module ? Is the attribute associated to modular syslog v1.xx logfiles stored into a MySQL database. 2.3.4 What is PGSQL attribute module ? Is the attribute associated to modular syslog v1.xx logfiles stored into a PostgreSQL database. 2.3.5 What is REGEX attribute module ? Is the attribute associated to modular syslog v1.xx logfiles, it gives information about the kind of data sorted on a particular logfile. 2.3.6 What is TCP attribute module ? Is the attribute associated to modular syslog v1.xx logfiles, it says that the modular syslog is sending logs to a particular host where exists another modular syslog or similar waiting for such information. 2.4 What are resources modules ? All users (auditors) permissions and status, as well as internal server data is stored on a resources database; each resource is a name-value pair that contains any kind of data. When an auditor is logged in, the server loads the users's database and it remains in memory until he logs out. The resources module is the responsible to load and save the resources from/to a storage in a way completely independent from the server. 2.4.1 What is LOCAL resource module ? The local resources module is a module that stores the resources database on a human readable and edibale text file. There exist one file per auditor and all of them are placed by default under /var/alat/resources. 3 Can I use audit and modular syslog together ? Yes. You can use audit to audit modular syslog logfiles. 3.1 Can I use audit to automatically retrieve logfiles from remote machines ? Yes. If you're using *nix systems you can configure your crontab to execute scripts that use audit to retrieve logs from remote systems. This schema allows also logs centralizaing on a secure host where audit client runs. 3.2 Can I use audit to check the integrity of logfiles ? Yes, but only if you're using modular syslog and it's PEO output module. Others methods are allowed but the apporpiate custom msyslog output module and audit IA and attribute modules should be created. 3.3 Can I change the current msyslog-peo key using audit ? You can't change the current key by another random one but that you can do is to use propagated peo keys. That is: Suppose you are using modular syslog and applying PEO on /var/log/messages logfile. then: 1. Connect (using audit and its -o option) to the remote host and retrieve /var/log/messages logfile. 2. After step 1, both, the logs and the peo key files are saved on a directory (specified by the -o option); on that directory the initial (secret) peo key should also reside. 2. Use the peochk(1) modular syslog's utility to check the file integrity. 3. Connect (using audit) to the remote host and rotate or zap the logfile. 4. The peo key file donwloaded in step 2 will be the initial key the next time you start at point 1. 3.4 Can I change the current [m]syslog configuration file using audit ? Audit v1.0 does not allow that. This feature will be added in future audit releases. 3.5 Can I use audit to audit logs centralized on a remote secure machine ? Yes, but you should use a custom IA module or configure the syslogd running on the secure host with the names of the centralized logfiles; in that case care must be taken to ensure that syslogd will not overwrite those logfiles. Future versions of audit will solve this problem. $CoreSDI: FAQ,v 1.9 2001/12/12 20:35:02 claudio Exp $