Logo TIB AV-Portal Logo TIB AV-Portal

auditdistd - Secure and reliable distribution of audit trail files

Video in TIB AV-Portal: auditdistd - Secure and reliable distribution of audit trail files

Formal Metadata

auditdistd - Secure and reliable distribution of audit trail files
Title of Series
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Security Event Audit is a facility to provide fine-grained, configurable logging of security-relevant events. Audit events are stored in trail files that can be used for postmortem analysis in case of system compromise. Once the system is compromised, an attacker has access to audit trail files and can modify or delete them. The auditdistd daemon's role is to distribute audit trail files to a remote system in a secure and reliable way. The talk will provide background to the Security Event Audit facility in FreeBSD and will describe auditdistd daemon in detail. The auditdistd daemon is a good example of using modern sandboxing mechanisms, like capsicum. During the talk audit subsystem and auditdistd daemon will be presented live.
point demon modes Actions overhead files distribution real time views part sign in staff events mathematics Blog different single queue framework Security systems overhead standards track information files The list effects counting bits system call open subsets Indexable difference-differential equations root processes alternatives events provide system disk sort Video Security
Virus Actions time administrations formating part programs information mathematics single BUS information Security systems effects category alternatives configuration website Right figure Security Hacker record track overhead files token Continuation analysis sign in events vision attributes intrusion detection systems form overhead focus regional information law projects experts directories system call kernel events intrusion detection systems case ensemble resolver
demon Barriers files link Firewall views time machine Continuation Coloured encrypted garbage collector box Security systems Fingerabdr├╝cke boss distribution projects beasts directories connections means data management processes case logic topology Universal Right protocols
point Blocks time schemes Continuation extreme open subsets sign in part entire processes software Routing report
point server generate key Blocks password loss inverse indicators certification system call events perspective processor mechanisms processes environment password Void's disk selection addresses Fingerabdr├╝cke systems
files Blocks machine sets directories directories sign in connections mathematics root software different terms topology Source code Games sort Security systems record
purchasing point functionality code machine schemes open subsets events sign single touch Source code model extent email distribution response space Development projects system call topology sort Games record
the consist they welcome everyone so will like to talk about secure unless the reliable way of distributing out the trial files it's all like to
talk about all the is the I was working increase only recently as public
the index of all you from stuff for freebies the for quite a few years now then but before I get to all that this is the old like to and I'll talk a bit about the sound of the system itself so will the dust basically is that out subsystem is responsible for lobbying security reading about events so all this all the standard it somehow show from the security point of view should be looking by there should be a way to loaded with the phrase what you have what you need to know is that all the did itself doesn't protecting it if the log return on events but don't take any actions if something that happens so what alternatives do we have for had before that all framework was committed ordered framework was part of the trust of the is the project as and so before it was committed to how we could use some alternatives or so he tried to log some of the events so we heard that stuff like a trace been charcoal the system calls signal handling and stuff we're so we could imagine using it for money system calls the 1 about various process now we have the trace so the trace of course also has Cisco provider which can be used to to log all the system calls used by interesting the malls for user processes but we also have functionally 2 which is full accounting which revolves base fission only execution so if someone execute some commands it will be locked to using accounting for the accounting framework and of course we slogged but for from security but is pretty useless White LEDs back to get back to it so so what out it can do is to provide free and that the clock about the activity of users demons and other processes and for example this is basically lists what kind of information you can find that in all the 3 pre- court this 1 is related to exactly the as system call so you can you have exact time when someone in the queue that out because you have you have full path this command you have all the arguments of for the command you have some information about the execute all like all all the ID on the deed and others devices informations and you have also informational aeration of the subject subject is so only is a user doing the forming the action and so we have effect if you indeed if indeed it was sort of the the points it broadens that but interesting and here all the UAB as all that the is there to track origin all user that performs given action so for example if user logs 18 speeding the for example and then I can switch to or from that counts and maybe to some other users maybe down was again old you eat will points up the DDE work every single system called up will be around so my mother of how many times I changed credential all did you ID will the point of my original credentials which was used to the change credentials later so all that also have real overheard because of course they are mobile events that are generated by the system is really huge so the over could be significant so I 1 of the priorities was to make that all the works we really small overhead it has to be reliable is that 1 saw the cops but that's that's the requirement if some even though this this for example someone execute a command or open a file it has to be locked this is so this is difference from the other of the phis I show you those we have really guaranteed that they haven't happened it will be looked at this very important so we don't know Oracle can be can be lost actually sorry costs can be lost but you can predict how my because you can a few Europe how did that out to you is because of course we don't want to and write to the disk every single event and F because this was just destroy performance but we can decide how when he looks we are about to we can the rules and and this a pretty important for best so we can in this way we can configure an how often we want the same debate about the disks because of course if
someone breaks seen it can crush our system and we lose some of its but maybe not and not enough logs to actually be able to track that look to see what will actually have as so all the has we also configurable which means that we can really decide on our own how much the detailed information we want to look so for example we don't want to look all that read system calls you don't really care that someone is reading which parts of the file although we do want to look for example which fires which files he opens for reading example right we don't want to block every single expert system called but someone just asking about attributes of a file but we do want to walk with someone changes or ownership of a given file as so it also had trustworthy which means if the locks there and that we can we should know that there was no change some for the for example with We've syslog users can generate generate looks and this from might or might not be used to actually some trick of me server into thinking that something that happened or did not up in all the every single OK so and sent by the every every events are sent to the to the kernel and also events can be generated by the so we can trust all the events actually a really event in really happen so in case of all the we have all those properties but we can rely on a we have only security but there is about events so we have the right information about those events it's lower is reliable for the the laws we can find brain it all figurate and it is trustworthy all those other all alternatives don't really need those requirements for example had trace can lose some of the some of the some of the events you you don't have guarantees that those events will be locked as so both of the end of the day information like accounting and you can only have a local executions and some are not really low overhead like the trace and these races of advice of very low overhead but when compared to all the this single bus room all the smaller overhead so some of those not reliable you cannot predict how many records you can lose in case of a crack you cannot call fewer than maybe some good to us so as our and of course you can trust what they generate as in from special effects from keynote but the usefulness of our so what can you use how can we use all the generated the courts so of course the 1st and most important that if we can use of it for his for possible the up is so someone breaks seen we actually tried down what he was attempting to do and what he actually dust because most of the time if someone breaks it's who the system of resolvent I think actually evolved probably should do the same but we cannot see what was what was the origin of program we could find that which bore let the other occurring so we know for example this was embarking Apache if this was biking as they did the or some other or some other form part and another interesting QCD so for intrusion detection because all the the provide so the of just just devices in Sl as the phone directory and and you can you can others today is that this device and the and get all the all the events from the kernel so you can imagine the intrusion detection systems that a system that can use those folks come on you're song some unexpected OK the of vision for all this is saying is the security directory but if you file or will you can the on the side will what information want local home detailed the lock should be the all the trick or what is very simple it comes from Solaris regional via some form of you can the which compliance to then fire people will land you can virus tokens you have some which also the time is just the user credential that were used to perform than the action and you can read through the bonds we can see that a given actions at it or not because all that also looks all the events that were all look-failed base focus so bands on even the cop and for example for Inzaghi the you can see command was executed we know we've what arguments for open you can see what files if you were looking closely you could
not is that there are there is a question mark it with in trust for the on the site as well so White what way is what all that is not really trust for flute why don't think it is and because the biggest problems all the it says the reason I why started work on all the it is the also when you breaking the the system and you have fruit group so it can simply race and fire for all the directory so you can just erase all tracks of your activity or even worse you can actually replace the locks so you can see for example language treat administrator in the figure that actually nothing nothing but how that but also from this is all that is the the project also by the freebies the foundation the and basic
goal is to distribute all the trial 5 some other machine which sigma Zibari easy but then is not actually you have to do in the universe secure mother we don't want that all the D is the to be actually on and hope to another machine don't the protocol did is the users actually be able to breaking fill our world washing and is the looks for there it has to be reliable we don't really want the looks to be distributed we don't want to lose any locks and so or we don't want any corrections so on the way it and and also this was not true requirement but for me it was very important to ensure low latency so so was there Parker breaks in if there is a barriers the locks anywhere it can store stalled that all the is the the mom or start to send something goes but before he does that we want to send as many lots of we so we can act on it the forest on other promising but some of the projects in 4 years at a cost for example like our system scholar which was there for many years and end nobody could actually replace it that there are many up finally we have found useful we both had 1 5 system and for many years there were many ports from of other with prices from Winants for example but we couldn't break this curse and it'll soon refer with ordered distribution the more I know about free attempts to implement the demon but the colors didn't let the people to actually is the war as though the curse finally broken OK so how all the all the the the actually works so we have 2 roles that it can act as a center or as a receiver which goes in which it means it and a sense the locks of the trial was or receive them and store them locally by that although it is due to be so how a depended us us as it is possible from other the most of it all the because because of all the it creates it creates trial file which is suffix we've looked the meaning that the that and within the boss is the the file handle to to the Colonel Colonel those that all the right a top so I had to extend all the buttery create a link in these directory this follows OS to be dependence from all the D because if we decide that we want to garbage collect but but trial files from bar out the directory then we want to be sure that we don't we don't defies before they are distributed and in cobbling we almost so to do that because all the B will manage he's own link and all the is the wood will manage the going in disarray tree so if all the D is the distributes the file a successfully it just 3 moles it's only and all these these 2 1st the final locally and also all the D. has to rename the file because once the file because if we come fewer the final has to be terminated up to the given size it is is reached we want to rename the file and start another of of so all the deepest rename the file in these directory as well only indeed and just will remove the firewall when it's done distributing the of this is so
although of his view were looks like inside of so we have this apparent process is and we have all the the children processes so in case of send the which sense trial file so we actually every single connections have 2 children those red boxes are arch he found books process so we separated for the because of course we want this whole trucking to cure and we use to tell us when crude the traffic but weak some open this itself 1st of box from by time so we want to some books then fired us logic so old encryptions hop and separate process so that if there is a blocking the lesson itself and doubt that shouldn't be a who erases and the fire that were already distributed tender itself is also some books a powerful in the case of receiver and we can have but we can receive from many many other machines to 1 central boxer who has got all the locks than sold to some
books so I use jail in jail is not available because of the this is the an entire open Buisson and pocket which is available for alignments science and of them so in Dallas of a will change route was on the extreme that the process can right but generally is better because of freebies the if we J. we can now created a I can as jails so the some pros will not have access to the network for example or or the rich resources of course we draw pretty just and then we use capsicum Trikovsky will be enough to some books for the entire process but of scheme also may not be available so it would combine all those metals but if we cannot we just require some of them good is it as OK and was being done of the subaltern was also don't really ever think is so as we intended them to be and OK
so let's say we have 7 the receiver a so they're sending their Hopley all from all over the the 2 reports to the receiver let's say Sutherland although were someone breaks so from that point in time we cannot trust the looks anymore because that that can be and they can be here they can changed modified with so and so the course can continue sending all the logs but what we really want to avoid is that sender which is compromised now could go back and mention there because of the receiver so you try hard and such will be allowed and so what I'll is the act the fights and guarantees is that you can find a place in your works trust so for example for the to this point and we know the blocks were not 1 boy were not modified and we tried that we try to wake in part from to jump from the sender to the receiver and get access to and to all the charter files duration is pretty
simple but on the sender side of adjusting to point it of the inverse we can sort of provide a fingerprint for the certificate in the receiver will use and we have some possible the truth which will be used for out indication on the receiver side so we can put your money send the song I just provide the p address and password of tools we use to opt indicate both sides OK
that will be all from the bayesian perspective you have any questions about it and so the question is if it's the world this is the 2 block of the sender and receiver yes that's possible so you can send the loss in both directions from on the same yes the crucial sing that song I repeat the question submitted their report and so the question was the 1st ICM books so both receiver and the sender or only 1 of them both our some books and both of also tell us client intensive than a server said it some books so yes yes calling the have the so the question is if we could select some system calls which we consider very important and does block onto the rigid disk and then actually do the system call currently now that there is no such possibility yes he has all the all the was if we can select system calls for example we we are very important for us are very point for example of executions so when the eggs in the this executed we won't to run the system call until the lock will read into this It's not possible on now so what we have a mechanism to actually we spilled the processor because we call me the key when it's full and in the process have to wait until it's done so we could we do that but the we provide a way to configure this early from my practice is fully hard to actually tell which events are important well I say which are not important but which are most important pretty but even for executions if you compile like built 1 of the new but it would generate huge amount of system call so you don't want to wait for each of them to be synced this all of the the but then it's not only about system called but also about some other environment yeah it probably well if only possible just it's not the answer going to me and
I'll show you the so not sure of in the it might but we this like this this OK this I have 2 machines but play the sender and 1 is receiver those 2 peaks terms of the pope represent 1 of them and look I will try to do might all tumors configurable to longer and to log on the execution set of implications the so a smaller suicide show you low-latency if you could tell me which is so which motion is the founder of which 1 is receiver a little thing and for example executes of I hope you don't see the difference of so basically we try to read we use I use KQ in all is the Dutch we detect all the changes in the all the old file and so we can we can really use various all of the light to distribute the lots of course the problem here is that if we generate much more walks than actually our network election can handle will will eventually fall back in and then we and of course the question might be if we should stop the system and the weaker up Look we actually really don't want to do this we don't know because his that for connection we don't know for how long the the other machine went away when it will get back if it was good but a cold so Country do that's what Washington back will be sent over all the trial file of the trial records in bigger chunks because now that we send them a sort of the coming and if we lack of the set to the center will them into a bigger blocks and will send them the receiver and another interesting thing is that all the the doesn't really possible of the tree costs you can send any file probably using of the is the the year he was struck security we don't pass the of the tree goats and the eventually the mistakes in passing it doesn't really mother and what DOS mother is that what we and when we open the game the system and this was the center of the top 1 of us when they all it in the system we all the logs and that are computed for this
watching when its own directory
so we also can be sure that the the lots are from this particular motion and not from some other machine and because they show here was to put some kind of costly the extent of the records that come in and extended to put some kind of costly game that will send it was but actually it would be what and also would force us to to parse that of the trial their finger can to online because any other questions if the and the it but still not impossible but before the trial house or a small Osorio the question if we could some kind of progressing signing scheme is this correct 1st so every next recall so depends on from the previous 1 but the problem is that of the tree grows sort of the trial fossil and another this fusion model for events so they can be very large but to the not necessarily have to be and actually don't have all with it is that we can compare both machines and we can see you the looks are all or basically just ignore the locks on the the send the machine and always use the locks on the remote motion the yes although we have different schedules for for the new them because all the is didn't so it's all hobbling whilst the distribution is done and so so old old indeed and can maybe the fires I don't know when the spaces so almost causal any other questions the question is how much of the code this it's not in the tree yet but it's in the written open BeoSound pocket ch I will probably want to merge it to head the really fit and worry so now and then I will probably in the way on my company's motions all along the your Account only the touch here so the for this engine e-mail and actually there are quite a few of are asking for this functionality and there are also waiting for the purchase so that the call this completes it is tested so it shouldn't be long before it's before before it hits tree the and the is where the useful so the question is if I if the cops at the sub single that there so the point it is sort of and this is the specific or is more general liver-specific the of is the openness so in so complex and and that although and starting from projects on work over it we will be working on Capsicum so I will eventually lookup so in trying to protect open so we've got means a more general way the the always be of some developers something we started through all the tools that we would like some books because they there are some but they should try and the least was very long so open the sellers Of course those phones very good coming from various reasons use complex leads that has I exactly so it's a prodigious response great so so I will look into it probably looked yeah any other questions they think of a much and in