On Feb 28, 2009, at 6:55 AM, brian mcgann < email@hidden> wrote: Thanks so much for the great reply, Terry.
My interest is primarily in what you refer to as 'Notification only' - item 1. Specifically, I'm interested in tracking access to a fine grain of detail, and KAuth has worked perfectly for us - relatively low performance overhead for very fine-grained information.
Your detailed response has given me a much better perspective - thanks; your exhaustive efforts in developing the framework have paid off handsomely, I think.
We aim to please...
I'll pursue a bit further with Windows-oriented mail lists, but it feels like I am going to be forced to roll-my-own if I want to get anything approaching what KAuth provides us on Mac OS X.
As others have pointed out, an IFSMgr plugin will give you file lifecycle events across filesystems, which is how most Windows file antivirus software works. Think of it like hooking INT 13 way back when.
Login session lifecycle events have to be done in user space; last time I did anything with those, the hooks were published, but the parameters they get called back with were not (but were easy to reverse engineer from context).
If you figure anything out for credential or process lifecycle events, I'd be interested in knowing about it. 8-).
Good luck!
-- Terry
Brian On Fri, Feb 27, 2009 at 3:31 PM, Terry Lambert <email@hidden> wrote:
On Feb 27, 2009, at 6:09 AM, brian mcgann wrote
Does anyone know of any analog of any kind to KAuth for Windows? I've had great success with it on the Mac and I'm looking to extend my functionality in whole or in part to Windows.
It depends on what you intend to do with it.
The kauth KPI set has a number of intended functions, and you could always add your own by knowing the semantics of an event point and acting however you want based on perceived state. The intended ones are:
(1) Notification only -- "This happened - deal with it"
There are not necessarily corollary events for Windows for all of the notifications in Mac OS X; to be fair, the same is true going the other way. But as far as I am aware, there is no central clearing-house mechanism in Windows.
(2) Authorization of operations -- answering the question "Can actor A perform action B on object C?"
This is probably best described as "light-weight Mandatory Access Controls", and it predates them. It also doesn't have the highest overhead and most problematic part of MAC, which is revocation.
To implement this, we had to go through and change every single place that computed and applied effective rights to ask that question, instead. It was a significant architectural change, and exposing the internals like kauth does to allow third parties to plug in their own policy modules required a lot of additional architectural changes.
As far as I am aware, Windows doesn't support anything like mandatory access controls as a centralized architectural mechanism. Windows NT 3.5.1 did pass both common criteria auditing and orange book B1 security certification on specific hardware, which is the stuff that predates the NSAs and DARPAs work on mandatory access controls, but I'm not sure how it was carried through architecturally, or if they supported policy modules. More recent versions of Windows have CC certified to IEL4.
As far as I'm aware, Mac OS X is the first commercial OS to support this sort of thing (pluggable policy modules) at all in an off-the-shelf product (see <http://www.trustedbsd.com/> for more information on the project that MAC in BSD sources came from).
Newer versions of Windows (specifically, Vista and Windows Server 2008) support a concept called "Mandatory Integrity Control", but the granularity is pretty low, and I'm pretty sure it doesn't support pluggable modules; see also:
<http://www.securityfocus.com/infocus/1887>
<http://blogs.technet.com/steriley/archive/2006/07/21/442870.aspx>
(3) Management of credentials and common criteria auditing information
Credentials identify the actor and, in some cases, the object being acted upon, when the object is another actor, rather than something that has access as a property rather than a right (example: a file with an ACL on it).
I'm pretty sure the Windows implementation uses user-space authentication plugins to establish authority, and then uses common code not under the user's control to set up the credentials, and audit labels (if any), that the OS uses internally.
-
You would probably be better off asking the BSD/PAM/MAC and CC/ITSEC people for information, or asking on a Microsft-related mailing list instead of a Mac OS X one, since the kauth stuff is all original work by Apple, and most of the MAC stuff was derived from work done under contract from us, the NSA, and DARPA, among others.
-- Terry
|