Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
36 Cards in this Set
- Front
- Back
|
What tool is used to interface with the audit system on Linux running kernel greater than 2.6?
|
/sbin/auditctl
|
|
|
Name of audit daemon for Linux running kernel > 2.6?
|
/sbin/auditd
|
|
|
What are the configuration files for the Linux audit daemon? And where are they kept?
|
/etc/sysconfigu/auditd - configuration file for starting audit daemon
/etc/audit/auditd.conf - Configuration for Audit daemon /etc/audit/audit.rules - audit rules to be loaded at start-up /etc/audisp/audispd.conf - configuration for audit dispatcher |
|
|
What are the tools for the Linux audit daemon? And where are they kept?
|
/sbin/auditctl
/sbin/auditd /sbin/ausearch /sbin/aureport |
|
|
What's the difference between SELinux auditing and regular kernel auditing (auditd)?
|
Audit events associated with SELinux are reported as AVC messages to auditd.
|
|
|
A few important fields in each audit record generated by the Linux 2.6 kernel are:
|
type
syscall a0-a3 subj key All fields can be found here: http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html#sec.audit.aureport" |
|
|
Can you change or add fields to the audit records auditd generates?
|
No.
|
|
|
What command will force a automatic rotation of audit logs when using the auditd daemon in Linux?
|
service auditd rotate
This command actually sends a signal to the auditd daemon that tells it to rotate the logs. |
|
|
How can I troubleshoot the auditd daemon?
|
1) Run auditd in the foregound using the '-f' switch to have error messages sent to standard error.
|
|
|
How can I audit the init process?
|
Configure your boot loader to pass 'audit=1' as a kernel parameter at boot-time.
|
|
|
How can I determine what processes have their audit flag set?
|
NULL
|
|
|
How can I force a shutdown if the audit threshold are exceded?
|
Set the failure flag to use when the kernel needs to handle critical errors. Possible values are 0 (silent), 1 (printk, print a failure message), and 2 (panic, halt the system).
Place '-f 2' in the audit.rules file. Example of critical errors are: ??? |
|
|
How do I tell auditd to delete preexisting audit rules?
|
auditctl -D
Make sure '-D' is on the first line of your audit.rules file. |
|
|
How do I prevent the audit configuration from changing?
|
auditctl -e 2
any attempt to change audit configuration in this mode will be denied and audited. Must reboot machine. Place '-e 2' on the last line of your audit.rules file. |
|
|
Where does SELinux send audit messages when 1) auditd is running, and 2) auditd is not running.
|
1) /var/log/audit.log - auditd is running
2) /var/?? |
|
|
Linux is preventing you from modifying your audit rule configuration. Why?
|
'auditctl -e 2' was ran to prevent any changes.
Remove '-e 2' from audit.rules file then reboot to unlock configuration for editing. |
|
|
List of system calls -
|
On system:
Internet: http://asm.sourceforge.net/syscall.html http://www.acsu.buffalo.edu/~charngda/linux_syscalls_64bit.html |
|
|
How can I find a list of system calls a particular program makes?
|
strace <program>
"In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option" |
|
|
What's the command line for auditing system calls using auditd?
|
-S <system call>
ex. 'auditctl -a entry, always -S mkdir' The example command above will generate an audit record anytime the mkdir system call is used. |
|
|
You'd like to delete the file watch on /var/log/custom_log on a running system. How is that accomplished?
|
auditctl -d /var/log/custom_log
'-d' will delete the most specific rule that matches the argument passed to it." |
|
|
You'd like a list of active audit rules on the system. You get that how?
|
auditctl -l
By default, rules are read from /etc/audit/audit.rules" |
|
|
Does aureport support the analysis of multiple files?
|
Yes - specify the filenames at the command line
aureport -if /var/log/custom_log -if /var/log/another_custom_log |
|
|
What does this command provide 'aureport -e -i --summary'
|
Illustrates the different types of events and how many of each type have been logged
|
|
|
How do I display all audit records that were created by rules tagged with 'web_sys'?
|
ausearch -k web_sys
'-k' allows searching on the key associated with the audit rule. |
|
|
You'd like to forward your audit records generated by auditd to another server. How do you accomplish this?
|
1) decide on location.
2) prepare audsp deamon |
|
|
You'd like to be notified when your audit partition is running out of space? How do you set this up?
|
To settings in the /etc/auditd.conf file are relevant: space_left and space_left_action.
Set 'space_left' to the amount of space you have left on the the partition when you'd like to be notified. space_left_action - states how you'll want to be notified. |
|
|
What is CAPP?
|
CAPP stands for "Controlled Access Protection Profile"
"The Common Criteria (CC) Controlled Access Protection Profile, hereafter called CAPP, specifies a set of security functional and assurance requirements for Information Technology (IT) products. CAPP- conformant products support access controls that are capable of enforcing access limitations on indi- vidual users and data objects. CAPP-conformant products also provide an audit capability which records the security-relevant events which occur within the system." "The CAPP was derived from the requirements of the C2 class of the U.S. Department of Defense (DoD) Trusted Computer System Evaluation Criteria (TCSEC) , dated December, 1985, and the mate- rial upon which those requirements are based. This protection profile provides security functions and assurances which are equivalent to those provided by the TCSEC and replaces the requirements used for C2 trusted product evaluations." |
|
|
How can I modify the buffer size for my audit records?
|
Use '-b' with the auditctl command.
From cmd help: " -b <backlog> Set max number of outstanding audit buffers allowed; Default=64" audit.rules -D ' Clear all rules -b 8912 ' set buffer size for audit records |
|
|
What is audispd and what does it do?
|
audispd is an audit event multiplexor. It has to be started by the audit daemon in order to get events. It takes audit events and distributes them to child programs that want to analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes.
|
|
|
What is the 'type' field used for in a linux audit entry?
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid =25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log" |
Stands for the type of event recorded. Known values include: CWD, SYSCALL, PATH
|
|
|
What is the 'msg' field used for in the linux audit entry?
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid =25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log" |
A message ID enclosed in brackets. The ID splits into two parts. All characters before the : represent a UNIX epoch time stamp. The number after the colon represents the actual event ID. All events that are logged from one application's system call have the same event ID. If the application makes a second system call, it gets another event ID.
|
|
|
What is the 'syscall' field used for in the linux audit entry?
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid =25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log" |
The type of system call as it would have been printed by an strace on this particular system call. This data is taken from the list of system calls under /usr/include/asm/unistd.h and may vary depending on the architecture.
|
|
|
What is the 'exit' field used for in the linux audit entry?
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid =25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log" |
The exit value returned by the system call. For the open system call used in this example, this is the file descriptor number. This varies by system call.
|
|
|
What are the fields 'a0-a3' used for in the linux audit entry?
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid =25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log" |
The first four arguments to the system call in numeric form. The values of these are totally system call dependent. In this example (an open system call), the following are used:
a0=62fb60 a1=0 a2=31 a3=0 a0 is the start address of the passed pathname. a1 is the flags. 8000 in hex notation translates to 100000 in octal notation, which in turn translates to O_LARGEFILE. a2 is the mode, which, because O_CREAT was not specified, is unused. a3 is not passed by the open system call. Check the manual page of the relevant system call to find out which arguments are used with it. |
|
|
What are the fields 'items' used for in the linux audit entry?
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid =25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log" |
The number of strings passed to the application.
|
|
|
What are the fields 'auid' used for in the linux audit entry?
type=SYSCALL msg=audit(1234874638.599:5207): arch=c000003e syscall=2 success=yes exit=4 a0=62fb60 a1=0 a2=31 a3=0 items=1 ppid=25400 pid =25616 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1164 comm="less" exe="/usr/bin/less" key="doc_log" |
The audit ID. A process is given an audit ID on user login. This ID is then handed down to any child process started by the initial process of the user. Even if the user changes his identity (for example, becomes root), the audit ID stays the same. Thus you can always trace actions to the original user who logged in.
|
