Re: [Fed-Talk] Audit Trail Configurations Request
Re: [Fed-Talk] Audit Trail Configurations Request
- Subject: Re: [Fed-Talk] Audit Trail Configurations Request
- From: "Dan O'Donnell" <email@hidden>
- Date: Mon, 19 Oct 2009 12:37:56 -0700
- Thread-topic: [Fed-Talk] Audit Trail Configurations Request
NISPOM Chapter 8, for PL-1 systems
The Defense Security Services (DSS) has defined the requirements in NISPOM
Chapter 8, Section 600 (601 to 606): Protection Requirements and ISL 2007-01
#44 and #45 to be the following for Unix, which means Solaris BSM and BSM
(now OpenBSM) as implemented in FreeBSD and OS X. This list is for PL-1.
lo - all logins and logouts
ad - all administrative events
-fr - failed read attempts
-fw - failed write attempts
-fc - failed creation attempts
-fd - failed deletion attempts
-cl - failed close attempts
-fm - failed object attributes modify
These will be different for higher protection levels PL-2 through PL-5.
Also, one might include na - non-attributable (administrative) events.
The simplified list above is for flags only, and does not identify SROs such
as directories or files. Those are in the list below that is identified in
ISL 2007-01 #45. Permissions should already exist in the OS so that these
are inaccessible to the general user and thus audited.
SROs (Security Relevant Objects) for Unix defined in ISL 2007-01 #45
/bin /usr/bin OS executables
/etc OS configuration
/etc /sbin /usr/sbin system management and maintenance executables
/var/audit Audit data
/usr/local /opt Security related software
I would add that /Applications/Utilities/Disk Utility should (arguably) be
protected from access. (Though an unprivileged user using it on anything
that is already protected should be blocked by the OS and thus an entry will
be made in the audit record.)
I will send ISL 2007-01 #44 and #45 to you as a PDF extract offlist.
Aside from the audit config settings for NISPOM Ch.8 PL-1...
We have had difficulty in OpenBSM on Mac OSX in redirecting the audit trail
from the local machine to another machine on the network. The problem seems
to lie in the fact that auditing is started by launchd before networking
starts, so the configuration file has already started and placed the trail -
which must be on the local host since there are no available network
volumes. If audit_config is set to place the audit trail on a network volume
that does not yet exist, there is a problem. Hopefully somebody else will
have solved this problem and can correct our work. (This does not happen
with Solaris, and apparently also not with FreeBSD.)
> http://gallery.me.com/todd_heberlein#100396
Brilliant. Thanks very much for making this and providing it to the
community. I'd been working on something similar but will drop it for yours.
Suggestion and question:
1. Does this new tool include an audit file/trail reader or interpreter?
2. Can it automate auditreduce | praudit with flags for auditreduce?
3. Will it place the resulting output file in a protected location, or even
just in /var/audit as a text file?
On 10/19/09 11:12 AM, "Todd Heberlein" <email@hidden> wrote:
> Now that Apple has a really good auditing system for Mac OS X again, I
> would like to put together a library of BSM audit configurations (for
> Mac, FreeBSD, or Solaris) that meet various legal or contractual
> requirements, recommendations from various groups, or that people have
> just generally found useful.
>
> If you know of any BSM auditing configurations, or maybe if you don't
> have a specific configuration but have a specific requirement that an
> auditing system should meet (I'll try to create a configuration to
> meet the requirement), could you please send them my way. I'll be
> making these configurations freely available to others, so don't send
> anything to me that you don't want to share with a wider community.
>
> For those interested in an audit configuration tool, here is a quick
> video showing the application for managing and using the audit trail
> configurations. I'll be giving the tool away along with any
> configurations I can get from the community.
>
> http://gallery.me.com/todd_heberlein#100396
>
> Thanks,
>
> Todd
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden