audit 1.6.7 questions

audit 1.6.7 questions

[LC Bruzenak]

Steve,

Audit 1.6.7 prelude event adds look great - the extra info in the
prelude manager is very good.

Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but
not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)? Also - gotta ask
- user logins but not logoffs?

Thanks,
LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: audit 1.6.7 questions

[Steve Grubb]

On Wednesday 06 February 2008 16:48:14 LC Bruzenak wrote:
> Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but
> not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?

That one is still TBD. I needed the define in libaudit.h so I could use it 
later. I have to patch a few user space utilities to send the event.

> Also - gotta ask user logins but not logoffs?

Logoffs have to be determined from session information. So, it takes some 
extra logic to deduce. Also failed logins are pretty important as you may be 
under attack, while logoffs you are never under attack. So, I don't know if 
logoffs are worthy of an IDS alert. However, it would be fine for something 
like an aulast command. Would that be helpful or do you see an IDS angle I'm 
missing? Its a good question, though.

Thanks,
-Steve

Re: audit 1.6.7 questions

[Valdis.Kletnieks]

[-- Attachment #1.1: Type: text/plain, Size: 1189 bytes --]

On Wed, 06 Feb 2008 17:04:12 EST, Steve Grubb said:

> Logoffs have to be determined from session information. So, it takes some 
> extra logic to deduce. Also failed logins are pretty important as you may be 
> under attack, while logoffs you are never under attack. So, I don't know if 
> logoffs are worthy of an IDS alert. However, it would be fine for something 
> like an aulast command. Would that be helpful or do you see an IDS angle I'm 
> missing? Its a good question, though.

I don't have much use for an IDS alert on logoff, unless it's a session that is
automagically logged in at boot and not supposed to logout - usually running a
captive kiosk or system-monitoring tool (but in those cases, the program can
usually be modified or wrapped to generate its own "Yow I exited unexpectedly"
alerts).  On the other hand, having some sort of '*last' capability is almost
always useful when you're trying to figure out what happened - "Fred left the
office at 5PM, but his session was there till 11PM, and something odd happened
at 10:30PM".  Usually means either Fred didn't in fact leave, or Fred left the
session unlocked and you have a too-clued janitor on the payroll.. :)


[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit 1.6.7 questions

[Steve Grubb]

On Wednesday 06 February 2008 17:04:12 Steve Grubb wrote:
> > Events: In the audisp code I see most of the AUDIT_ANOM "biggies" but
> > not all (from libaudit.h, e.g. AUDIT_ANOM_ROOT_TRANS)?
>
> That one is still TBD. I needed the define in libaudit.h so I could use it
> later. I have to patch a few user space utilities to send the event.

It occurred to me that I didn't fully answer this. The plugin right now is 
intended to be a usable proof of concept test. I only wanted to cover 
the "easy" ones. The other anomaly events would be covered in future versions 
of the plugin, but they generally require some work to get functioning. At 
this point, I'm interested in feedback and maybe some ideas about what kinds 
of alerts people might be interested in.

One thing I ran into writing my plugins is that I think IDMEF is really more 
suited to NIDS rather than HIDS. I have been discussing this with the prelude 
developers and will write up my findings later. To really do a good job, I 
think the standard needs to change a little.

For example, when you get an AVC, you need to see the syscall record in order 
to decide what the impact really is. Without the syscall record, you don't 
know if the system was in permissive mode at the time if the syscall. So you 
cannot conclude whether they succeeded or failed. The IDMEF standard has no 
way to say the result was indeterminate.

So, it may take a while to get this plugin exactly the way I want since it may 
take some standards work to be able to express all the information that an 
audit system has available.

-Steve